As the World Cup Kicks Off, 84% of Sports Organizations Report a Cyber Hit

by

Estimated reading time: 7 minutes

The 2026 FIFA World Cup has kicked off across Canada, Mexico, and the United States. The NBA and Stanley Cup Finals are live at the same time. Global sport is at peak visibility. New research says attackers have noticed. Darktrace published its report, Cybersecurity in Global Sport, this week. The Cambridge-founded firm sells behavioral AI for threat detection, so the study doubles as a case for its own approach. Look past the pitch, and the survey data is striking. From shadow AI to phishing, it paints a picture of sports as a prime cyber target.

The headline figure is hard to ignore. Across 875 security professionals surveyed, 84% said their organization suffered a cyber incident in the past year. More than half were hit more than once. The survey spanned the US, UK, Australia, and Germany.

The Losses Are Real and They Compound

For cyber insurance underwriters, the loss data is the most useful part of the report. The average incident costs a sports organization $169,000 over the year. That number alone understates the exposure.

The damage stacks up fast. 57% of organizations were hit more than once. 43% logged between six and 10 incidents in a single year. For those organizations, the report puts the cumulative annual cost as high as $1.7 million.

The non-financial damage matters too. A hijacked executive account can move money. A breached ticketing system can halt entry on match day. Exposed athlete data can trigger legal and reputational fallout. In sport, failure is public by design.

Sports cybersecurity featured image: aerial view of a stadium overlaid with a digital network grid, citing a Darktrace finding that 84% of sports organizations were hit by a cyber incident in 12 months, on Cyber Insurance News.

Why Sport Is Such a Visible Target

Sport is a complex international entertainment business. It runs on ticketing platforms, cloud services, broadcast networks, mobile apps, and smart-stadium hardware. Each layer widens the attack surface.

Major tournaments raise the stakes further. The report frames the World Cup as a temporary critical infrastructure. It spans governments, telecoms, cloud platforms, broadcasters, and sponsors at once. That makes the cyber risk look more like national infrastructure than a normal commercial enterprise.

The attacker mix reflects that profile. Criminal groups chase extortion and fraud. Hacktivists chase visibility. State-aligned actors treat marquee events as a stage for signaling and disruption. The report is candid on the draw. Sport is attractive because it is visible, not because it is uniquely weak.

See also  HSB Launches "Cyber for Auto" Insurance to Protect Against Vehicle Cyber Threats

Email and Identity Remain the Front Door

The telemetry points to a familiar entry path. Email and identity are still the dominant attack vectors. Darktrace customers in sport received roughly 19% more phishing emails than customers in other sectors.

The volume is large. Darktrace logged more than 116,000 phishing emails against sports clients over six months. 21% targeted VIPs. 38% were spear-phishing attempts. A striking 84% passed DMARC authentication.

That last figure carries a warning. Attackers are not faking domains as often now. They are abusing trusted, authenticated platforms instead. QR-code phishing rose sharply in early 2026. These lures exploit a habit the sport sector helped normalize. Fans now scan codes for tickets and entry without a second thought.

The Shadow AI Problem Reaches the Pitch

The report’s AI section will feel familiar to insurers. The concern is shadow AI. That means staff and contractors are using unsanctioned AI tools without oversight.

In sport, the stakes are specific. Scouting notes, athlete health records, contract terms, and sponsorship plans can all end up inside third-party AI systems. The result is quiet data leakage and compliance exposure. (This resembles a pattern now visible across the calendar, from holiday ransomware spikes to seasonal risk around major regional events.)

The adoption curve makes it worse. 72% of respondents expect AI to raise cyber risk over the next year. Yet 35% are already pushing AI into stadium operations or plan to soon. Stadium operations is also the function they fear losing most. Sport is wiring AI into the area it can least afford to lose.

A Quiet Threat Aimed at the Loudest Moments

The sharpest warning in the report is about timing. The danger is not a loud, last-minute hit. It is silent pre-positioning that waits for the best time to strike.

Karim Benslimane is VP and Field CISO at Darktrace. He has led security for football and rugby World Cups and more than 500 events. “The most dangerous attacks on major sporting events are silent, supply-chain driven,” he said. They trigger when failure is least acceptable.

The case studies back this up. A 2025 Lynx ransomware incident showed attackers staging data weeks before encryption. Supply-chain compromise is a recurring theme. A trusted vendor with persistent access can become the path into a live event.

See also  FifthWall Closes $5 Million A Round; Cyber Insurance Wholesaler Announces New Executives

Nathaniel Jones leads security and AI strategy at Darktrace. He argues that static, rule-based defense no longer fits this environment. “A suspicious login or unusual data movement may look small in isolation,” he said. During a live event, it can turn serious in minutes.

The UK and Clubs Thread

The UK exposure runs through the clubs, not this year’s tournament. The report cites Manchester United’s 2020 ransomware scare. It also revisits the Manchester City Football Leaks dispute. Both show how cyber-enabled exposure becomes a long-tail legal and reputational problem.

The pattern extends across the Channel. The French Football Federation disclosed breaches in 2025 tied to a compromised account and a misconfigured API. Attackers reused stolen credentials months later. The recurrence points to persistent targeting ahead of France’s World Cup campaign.

Geopolitics Raises the Stakes for the Tournament

The World Cup angle is not only about scale. It is about intent. The report argues that major events draw state-aligned activity, not just criminal activity. Adversaries use the cyber domain to signal, to influence narratives, and to retaliate without crossing into open conflict.

Several tensions converge on this tournament. Russia remains excluded from international sport. The war in Ukraine continues. The United States backs Ukraine’s defense. Iran is a participant in the competition, which is held in a country with which it is at war. The report reads this mix as fuel for deniable, disruptive activity.

This matters for insurers in a specific way. State-aligned attacks raise hard questions about war exclusions and attribution. A disruptive incident timed to a final may have a symbolic impact far beyond its technical cost. Attribution is often inconclusive, which complicates both claims and coverage. The lesson is that the motive in sport is not always money. Sometimes the goal is the spectacle of failure itself.

What It Means for Cyber Insurance

The report reads as a control checklist in disguise. Identity is the primary control plane. Universal MFA, anomaly detection, and tight third-party access sit at the center. IT and OT cannot be secured in isolation.

That maps cleanly onto cyber underwriting. The losses are quantified. The controls are nameable. The threat actors are profiled. A franchise or team that cannot answer for its AI governance or its vendor access looks materially riskier at renewal.

See also  Cowbell Expands Cybersecurity Integrations to 30+ | Inside-Out Risk Insights for SMEs

The closing message is simple. Cyber risk in sport is now an operational and governance problem. It is not an IT footnote. The work has to be done before the kickoff, tipoff, or faceoff. Prevention, the report argues, beats prediction.

FAQ – Sports Cybersecurity

What did the Darktrace sports report find?

It found 84% of surveyed sports organizations had a cyber incident in the past year. More than half were hit multiple times. The survey covered 875 professionals across four countries.

How much do these incidents cost?

The average incident cost $169,000. Organizations hit six to 10 times in a year faced cumulative costs as high as $1.7 million.

Why are sports organizations such a big target?

Sport combines global visibility, fixed schedules, high-value data, and large vendor networks. Disruption is public, and recovery windows are short. That mix appeals to criminal, hacktivist, and state-aligned actors.

What is shadow AI in a sports context?

It is staff using unsanctioned AI tools without oversight. Scouting notes, athlete health data, and contract terms can leak into third-party systems. The report flags it as a fast-growing exposure.

Cyber Insurance – What should organizations and their insurers prioritize?

Universal MFA, identity anomaly detection, strict third-party access, and IT/OT segmentation. The report frames identity as the primary control plane.

Martin Hinton
Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment