Friday, 3 April 2020

YesWeHack Cybersecurity Training Temporarily Free for Schools and Universities

YesWeHack, a European bug bounty platform, is providing universities and schools with free access to its educational platform YesWeHackEDU. This offer aims to allow educational institutions to hold a practice-oriented cybersecurity training. As of 1st April 2020, all universities and schools can benefit from free licenses of YesWeHackEDU, which are valid until 31st May 2020.

Preparation for IT Security Professions
YesWeHackEDU is aimed at educational institutions that, in the current situation, want to integrate IT topics and cybersecurity into their curricula via distance learning. The educational platform is a simulation of the real bug bounty platform of YesWeHack. The attack scenarios, which are available as practice projects, are simulations of real-world situations. Universities and schools also can kickstart a real bug bounty program on YesWeHackEDU to have their IT infrastructure security-proofed by their students.

YesWeHackEDU teaches the identification and elimination of vulnerabilities and allows both students and instructors to develop technical and managerial skills required to run successful bug bounty programmes. At the same time, it opens up prospects for sought-after professional specialisations such as DevSecOps, Data Science or Security Analysis. Furthermore, YesWeHack EDU facilitates the implementation of cooperations and cross-functional projects between academic institutions and the business community.

Young Cybersecurity Specialists more Needed than Ever
"The current COVID19 pandemic has driven students and teachers out of the classroom. For cybercriminals, however, the pandemic wave is by no means a reason to pause. They are even more active, taking advantage of the insecurity of many consumers" explains Guillaume Vassault-Houliere, CEO and co-founder of YesWeHack. "The training of future cybersecurity talents cannot, therefore, be delayed. We need to support educational institutions in their mission right now. YesWeHackEDU provides a world-class educational resource for educators and students to develop cybersecurity skills in times of pandemic.'

Free licenses for YesWeHackEDU are distributed worldwide with the support of YesWeHack education partner IT-GNOSIS and can be applied for here.

Wednesday, 1 April 2020

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.

BLOG
NEWS
    VULNERABILITIES AND SECURITY UPDATES
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Tuesday, 31 March 2020

      How Safe are Video Messaging Apps such as Zoom?

      I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



      'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

      My reply...
      Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

      Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

      Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

      So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

      The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

      And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


      Additional
      One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reports have shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

      Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

      It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

      Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

      Risk mitigation:
      The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
      • Ensure Zoom is always on the latest software version
      • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
      • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
      Organisational preparedness:
      Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
      • Ensure you also generate a meeting ID automatically for recurring meetings
      • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
      • Don’t share any meeting IDs online
      • Disable “file transfers” to mitigate risk of malware
      • Make sure that only authenticated users can join meetings
      • Lock the meeting once it’s started to prevent anyone new joining
      • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
      • Play a sound when someone enters or leaves the room
      • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”

      Thursday, 26 March 2020

      Working from Home Cybersecurity Guidance


      Working from home comes with a range of security risks, but employees need to be educated too – human behaviour is invariably the weakest link in a company’s cybersecurity posture. In the current environment, with many more employees working at home, cybercriminals are actively looking for opportunities to launch phishing attacks and compromise the IT infrastructure of businesses, large and small. 

      Guidance on Working from Home All companies should start by reviewing the home working guidance available at the UK Government’s National Cyber Security Centre (NCSC). This resource helps companies prepare their employees and think about the best way to protect their systems. Crossword has been advising a number of its FTSE clients in a range of sectors, and below is a summary of the guidance given, in addition to that from the NCSC.

      Run Audio and Video calls Securely

      What is visible in the background of your screen during video calls and is someone monitoring who is on the call? The same is true for audio only calls. A team member should be responsible for ensuring only invited guests are present, and calls should be locked once started, so other participants cannot join.

      Educate Employees on Phishing attacks
      The NCSC mentions COVID-19 related Phishing attacks which use the current crisis to trick employees into clicking on fake links, downloading malware, and revealing passwords – so educate them. These could be fake HR notifications or corporate communications; fake tax credits; fake emails from mortgage providers; free meals and mechanisms for registering for them. The list is endless and cyber criminals are very news savvy and quick to adapt. Employees are likely to be more vulnerable to phishing attacks due to people rushing, fear, panic, and urgency; all the behavioural traits that result in successful phishing attacks.

      Automate Virtual Personal Network configurations (VPNs) 
      IT and Security teams may have a backlog of users to set up on VPNs, to provide secure connections to corporate networks. Do not allow employees to send data insecurely, use automation to make accelerated deployments and guarantee correct configuration. Even IT staff are fallible, and the combination of pressure of work volume and working fast, may leave a gaping hole in your infrastructure.

      Control the use of Personal Devices for Corporate Work
      Due to the rapid increase in home workers, many employees may be using their own devices to access emails and data, which may not be covered by Bring Your Own Device (BYOD) policies. What this means in practicality, is that employee’s personal devices may not be securely configured, nor managed properly and be more vulnerable. IT and Security teams again, may need to retrospectively ensure that employees are complying with BYOD policies, have appropriate endpoint security software installed etc.

      Stop Personal Email and Unauthorised Cloud Storage Use
      When companies are experiencing IT difficulties in setting up employees working from home, people may be tempted to use personal emails or their personal cloud to send and store data, as a work around. These are a risk and can be easy for cyber criminals to target to gain company information or distribute malware, as they are not protected by the corporate security infrastructure.

      Keep Collaboration Tools Up-to-date
      Tools such as Microsoft Teams, Zoom and Google Hangouts are great, but it is important to ensure all call participants are using the latest versions of the software, and that includes partners and customers that may be on calls. Employees should also only use the corporate approved tools and versions as they will have been tested by security teams for vulnerabilities, that could be exploited by cybercriminals. 

      Stuart Jubb, Consulting Director at Crossword commented: “Throughout the UK, companies are doing everything they can to ensure business continues as normally as possible as the COVID-19 situation develops. The guidance we are issuing today is a summary of the key points we have been discussing with our clients across a wide range of vertical markets. Good IT security measures are arguably more important than ever as companies become a largely distributed workforce, almost overnight. As ever though, it is not just about the technology, but good behaviour and education amongst employees as cybercriminals work to exploit any vulnerability they can find, whether that be a person, mis-configured tech, or unpatched software.”

      Tuesday, 24 March 2020

      Coronavirus Cybersecurity: Scams To Watch Out For

      The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

      That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

      Malicious messages examples seen
      • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
      • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
      • messages advertising protective masks and hand sanitisers from bogus websites
      So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

      1. Phishing Scams 
      This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

      Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

      The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

      Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

      It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

      2. Fake Websites
      Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

      In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

      Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

      3. App Scams 
      Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

      The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

      4. Fake Coronavirus Maps
      Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

      Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

      Look for the Red Flags 
      • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
      • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
      • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
      In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

      Monday, 23 March 2020

      UK Payment Card Contactless Limit Increased from £30 to £45 prevent Coronavirus Spread

      The contactless payment card limit for in-store card transactions in the UK will be increased from £30 to £45 from 1st April. A good move for preventing COVID-19 spread at supermarkets and petrol stations via card payment pinpads, which are impossible to keep sanitised.

      Better still, everyone right now can benefit from secure MFA contactless payments with higher limits by setting up Apple Pay, Google Pay or, Samsung Pay on your smartphone.

      BRC Head of Payments Policy, Andrew Cregan, said: “The last contactless limit increase to £30 took two years to implement but, given the extraordinary circumstances we face today, this new £45 limit will be rolled-out from next week. Some shops will take longer to make the necessary changes, given the strain they’re under. In the meantime, most customers can continue to make contactless payments for higher amounts using their smart phone.”

      Monday, 2 March 2020

      Cyber Security Roundup for March 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2020.

      Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February.  The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.


      The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker.  Read The Billion Pound Manchester City Hack for further details.

      The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".

      The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.

      Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.

      According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake".  A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.

      The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".

      This month's cloud misconfiguration breach award goes to french sports retail giant Decathlon, after 123 million customer records were found to be exposed by researchers at vpnMentor .  Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates. “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.

      If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February.  Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
      Ring: An IoT device's security improved by mandated 2FA

      The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.

      BLOG
      NEWS
      VULNERABILITIES AND SECURITY UPDATES AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      Tuesday, 18 February 2020

      The Billion Pound Manchester City Hack

      The sport of football is a multi-billion-pound global industry, where the world's top-drawer football clubs push competitive advantages to the extreme, not just for the prestige of winning trophies, as success on the pitch also means a greater slice of jaw-dropping TV, sponsorship and advertising revenues. 

      The key commodity in the football industry are football players, elite talent players command transfer fees up to 100 times their weight in gold and receive millions a year in wages.  Investing in recruiting the best football players increases the likelihood of winning matches, titles and lucrative financial rewards. The competition for success is especially fierce between Europe's largest football clubs. This is leading to ever-inflating player transfer fees and wages, rippling downwards throughout football's global pyramid of leagues, with many clubs gambling with financial outlays on recruiting player talent, in hope of achieving the financial rewards which success on the football pitch brings.

      Top Ten Football Club Revenues in 2018-19 (change from 2017-18)
      1 Barcelona                 £741.1m (+£129.5m)
      2 Real Madrid             £667.5m (+£2m)
      3 Manchester United £627.1m (+£37.3m)
      4 Bayern Munich £581.8m (+£24.4m)
      5 Paris St-Germain £560.5m (+£80.6m)
      6 Manchester City £538.2m (+£34.7m)
      7 Liverpool                 £533m    (+£77.9m)
      8 Tottenham               £459.3m (+£79.9m)
      9 Chelsea                  £452.2m (-£4.2m)
      10 Juventus                £405.2m (-£55.7m)
      Source: Deloitte Football Money League

      The Deloitte Football Money League illustrates the scale and growth in revenues at Europe's top tier clubs. Most of this revenue is acquired through participation in the UEFA Champions League (up to £150m), club sponsorship deals, and national league TV deals, especially the English Premier League, where clubs finishing in the top six positions are given around £150m a year. The number of bums on seats at stadia doesn't have the financial impact on a club's revenue stream as it once did. Success on the pitch is the greatest driver of a club's revenue, the new model of sustained success in football is recruiting and retaining the best squad of football players.

      Such high stakes and large financial numbers are a recipe for pushing and bending football's rules, Real Madrid, Barcelona, Atletico Madrid, Liverpool, Chelsea and Manchester City have all been disciplined for breaking youth player recruitment rules. Football's rules are written and enforced by football’s various governing bodies, starting with country-level governance such as the English Premier League and The English Football Association (The FA), continental level governance such as Union of European Football Associations (UEFA) and finally the global football authority which is Fédération Internationale de Football Association (FIFA).

      The Million Manchester City Pound Hack
      As football players are the key elements of achieving success, most top tier clubs invest heavily to build intelligence on the best players to recruit. Clubs operate scouting networks on a global scale, utilising applications to gather and record statistical player data, and employ expert analysts to crunch those stats. All to determine which players they should target to improve their squad, when they should attempt to buy, and how much they should spend to achieve a maximum return on their investment.
      Manchester City have a rocky relationship with UEFA

      The top two rivals competing for success in the English Premier League in recent years have been Manchester City and Liverpool football clubs, with both clubs winning several major titles. At the end of 2011/12 season, it was a different story, Manchester City had won the Premier League title while Liverpool finished in 8th position, outside of lucrative Champions League qualification and 47 points behind City.  At the end of this season, Liverpool 'poached' two of Manchester City's scouting and recruitment leads, Dave Fallows and Barry Hunter, as their head of scouting and chief scout respectively.  14 months after these appointments were made, Liverpool pay Manchester City £1 million as part of a confidential settlement, after it was alleged City’s cloud-based scouting application, Opta's Scout7, had been accessed by Liverpool FC staff on hundreds of occasions.  Whether this breach was 'assisted' by Manchester City not removing ex-employee access to their Scout7 app, or involved the hacking of City's accounts remains undisclosed.
      Player Scouting App Scout7

      The Premier League were not informed about this incident and the settlement until September 2019, when they launched an investigation, but confirmed on 7th February 2020 it would not be bringing any charges.  An FA spokesperson said: “The FA carefully considered the evidence received in this matter, including information provided by both clubs involved, and has decided not to progress the investigation. This is due to a number of factors including the age of the alleged concerns and the settlement agreed by the two clubs involved.  As per standard protocol, should the FA receive further information or evidence, the decision not to progress the investigation may be reviewed.” 

      Since the hack there has been a major resurgence with Liverpool's success on the pitch, under their current manager Liverpool have spent £400 million on recruiting new players, creating arguably one of the strongest squads they have ever had. A squad which won the Champions League last season, while this season Liverpool stands to win the Premier League title for the first time in their history by some distance. The role of this alleged City hack in Liverpool's recent rise to the top can never be understood, a coincidence or not, most football pundits agree Liverpool's player recruitment in recent years has been first class.

      As of 25th May 2018 such hacked data breaches are required to be disclosed to the UK's Information Commissioner's Office (ICO), and could theoretically cost Manchester City and perhaps Liverpool millions in fines under the recently updated UK Data Protection Act, which incorporates the European General Data Protection Regulation (GDPR). Given the Scout7 app holds the personal data of European players, and  GDPR fines can be up to 4% of global turnover, this means a potential ICO fine of up £20 million. And accessing or hacking into systems without permission is a criminal offence under the UK Computer Misuse Act.

      The Billion Pound Manchester City Hack
      On 14th February, UEFA's Chamber of the Club Financial Control Body (CFCB) announced its decision to ban Manchester City from competing in European competition for two years, and a £25 million fine for breaching UEFA’s Financial Fair Play (FFP) rules.  



      The revenue from missing two Champions League campaigns could cost the Manchester club around £300 million in total. The Premier League and the English FA are also investigating City on the back of the UEFA investigation, so could follow suit with their own FFP sanctions, with media speculating such investigations could result in City's relegation to England's bottom tier of professional football. Dropping to League Two could potentially cost the club around £1 billion in lost TV revenues alone.  However, Man.City quickly announced they will be challenging UEFA’s findings and disciplinary action through the Court of Arbitration for Sport (CAS), so it remains to be seen if those UEFA disciplinary sanctions will stand. City’s FFP woes all started with a hack of their email system, a hack which could ultimately cost the club over billion pounds.

      Is Football 'Wikileaks' Ethical?
      UEFA's investigation into City started with the club's hacked internal emails being disclosed to the media, by a hacker through a 'football leaks' website. On 5th November 2018, German magazine ‘Der Spiegel’ (The Mirror) published an article which claimed City and their sponsors had manipulated sponsorship contracts to circumvent UEFA FFP rules, inflating the value of their commercial income. The Spiegel article supported claims of FFP ‘wrongdoing’ by quoting extracts from senior Manchester City club officials stolen internal emails.

      Portuguese resident Rui Pinto is alleged to be the hacker who successfully hacked into City's internal email system in 2015. Pinto was arrested and remains in prison awaiting trial on 90 different counts of hacking, sabotage and fraud. Pinto reportedly took 70 million documents and 3.4 terabytes of information from a string of football clubs and high profile players, releasing the data via the 'football leaks' website (https://footballleaks2015.wordpress.com/).  

      Pinto told Der Spiegel he was aware of the risks of his work and is quoted as saying “I initiated a spontaneous movement of revelations about the football industry.  So depending on your viewpoint, and likely your football club loyalty, this 'Wikileaks for football' is either ethical on transparency grounds, or it should not be condoned given the information was obtained by illegal means.  Just like the actual Wikileaks, individual views will be polarised on the ethics of leaking private and confidential information into the public domain. Although given the tribal and competitive nature of most football fans, aside from Manchester City fans, most football fans are likely to agree the illegal method was justified.  


      Rui Pinto, Criminal Hacker or Whistleblower?

      It seems UEFA also agree with the illegal method used, as on the back of the Der Spiegel article and hacked emails, UEFA began its investigation into Manchester City on March 2019, stating “The investigation will focus on several alleged violations of FFP that were recently made public in various media outlets."  

      The 'Ethical' Legal Battle Ahead
      When police authorities and prosecutors do not collect evidence using legal means in criminal trials, such evidence becomes inadmissible in court. Digital evidence not forensically acquired can also be challenged and dismissed. Hacked emails as text files can be easily doctored. For instance, in 2018 said key documents supporting rape claims against Cristiano Ronaldo, as obtained through the Football Leaks website, were subsequently dismissed by Ronaldo's lawyers as having been fabricated by hackers.

      If all the other top tier football clubs had all their internal emails disclosed to the media and UEFA investigators, how many other clubs would be found to have bent or broken FFP rules as well?  There are many football fans deeply suspicious about the finances and commercial sponsorship deals at many of Europe’s elite football clubs.

      The City email hack will have significant ramifications on the football industry, the power of UEFA and its enforcement of FFP will be tested. With millions at stake, Manchester City’s lawyers and UEFA will be fighting it out in the courts in the coming months, the ethics of using data leaks as evidence will be one of the key arguments

      Let Him Who Is Without Sin Cast the First Stone
      UEFA doesn’t exactly have a good track record on ethics either, former UEFA Chief Michel Platini was banned from all football activity for 8 years by FIFA’s Ethics Committee in 2015. In June 2019 Platini was questioned by Police in regards to his backing of Qatar's bid to host the 2020 World Cup, despite allegedly telling American officials he would be voting for the United States. Then there is the ethics of UEFA fining football clubs multi-millions for breaching FFP, while at the same time fining clubs in the low thousands for breaches of its racism rules.