Threat Trends | 4 mins
Paris 2024 Olympics: Third-Party Cyber Risks Plague Global Events
The Paris 2024 Olympics is well into its fifth day as we compile this information for the readers of Hadrian: infosec practitioners, cybersecurity decision makers, and researchers.
Last week, Hadrian wrote about the probability of cyber attacks on the sponsors of the Paris 2024 Olympics. Feedback from our clients and readers highlighted a pattern that plagued all major sporting events of the world lately: growing third-party risks.
Take a look at these events listed in chronological order:
The 2012 London Olympics faced over 212 million cyberattacks, mainly Distributed Denial-of-Service (DDoS) and phishing, reported Security Magazine. These attacks targeted official websites and online ticketing platforms, causing significant disruptions. As a result, there were issues with online ticket sales and financial losses from phishing scams aimed at attendees and participants.
The reports we aggregated indicated that the extensive use of third-party vendors for ticketing, merchandise, and digital services exposed the Olympics to multiple attack vectors. Phishing attacks often targeted third-party websites related to the Olympics, leading to the compromise of personal and financial data of users
During the 2014 FIFA World Cup in Brazil, there were significant DDoS attacks, malware, and phishing attempts that targeted infrastructure such as ticketing and live streaming services, reported the Canadian Center for Cyber Security in its bulletin. These attacks caused disruptions during matches, leading to a loss of revenue and increased costs for enhanced cybersecurity measures.
The reliance on these third parties for critical functions such as streaming and ticket sales increased the attack surface, making it easier for attackers to disrupt services through DDoS attacks and malware. Successful DDoS attacks took down relevant sporting websites, such as that of the Ministry of Sport, said an event analysis report by the University of Berkeley.
The 2016 Rio Olympics in Brazil were hit by thousands of cyberattacks, including DDoS and ransomware, said a report by cybersecurity service Vercara. These attacks targeted official Olympic websites and media platforms, causing temporary shutdowns of websites, increased cybersecurity expenses, and public concern over data breaches.
The involvement of numerous third-party IT service providers for website management, online ticketing, and other digital services led to vulnerabilities. “Several public-facing web properties and organizations affiliated with the Rio Olympics suffered a sustained DDoS attack that lasted for several months,” reported cybersecurity service Tripwire.
The 2018 Winter Olympics in Pyeongchang, South Korea, experienced a significant cyberattack with the Olympic Destroyer malware. This attack targeted IT systems, including the official website and Wi-Fi networks, causing a twelve-hour outage of the Olympic website and disrupted Wi-Fi during the opening ceremony, Wired reported.
The malware, dubbed “Olympic Destroyer”, infiltrated the Olympic IT network through third-party providers, disrupting services such as the official website and Wi-Fi networks, said the report. The US later indicted six officers from the Russian GRU for several charges including deploying this malware.
The 2020 Tokyo Olympics faced over 4.4 billion cyberattacks, including DDoS, phishing, and malware, a steep rise from the 212 million documented attacks at the London 2012 Games, reported SecurityBrief Australia.
The vast network of third-party vendors and service providers, including those managing IT infrastructure, ticketing, and broadcasting, were primary targets for cyberattacks. In a prominent attack, the personal data of the event’s ticket holders as well as event volunteers were leaked online, reported Techwire Asia.
The 2022 FIFA World Cup in Qatar saw persistent cyberattacks, including identity-based attacks and phishing. These attacks targeted connected systems and personal data, leading to enhanced cybersecurity protocols and increased vigilance to protect sensitive information.
The prominent among the third parties attacked was New World TV, the satellite broadcaster that held free-to-air and pay-television rights to the 2022 Fifa World Cup in French-speaking sub-Saharan Africa, reported SportBusiness.
The need for 3rd Party Risk Monitoring
The ongoing 2024 Paris Olympics has been facing the prospects of a host of cybersecurity issues, including DDoS, phishing, and state-sponsored attacks. These attacks are anticipated to target IT systems, ticketing platforms, and critical infrastructure. Phishing continues to be the biggest threat here.
From January 2024 through late July, Cloudflare’s Cloud Email Security service processed over a million emails containing “Olympics” or “Paris 2024” in the subject, said the cybersecurity company’s report on the Paris 2024 Olympics.
“During the week of July 22-28, coinciding with the first few days of the Olympics, there was a 304% increase in such emails compared to the previous week and a staggering 3111% increase compared to the busiest week in January.”
The more stakeholders a project has, the higher the need for 3rd party risk monitoring. Hadrian continuously assesses 3rd party applications for risks that could result in a data breach of your critical data. Connect with us to know more.