Rapid digital transformation, massive public visibility, and strict, unyielding event timelines have turned sports clubs, stadium operators, and governing bodies into high-value targets for both financially motivated criminals and politically backed hackers.
A staggering 84% of professional sports organisations have experienced at least one cyber incident in the past year, according to a major new report released today by cybersecurity firm Darktrace.
According to a survey of 875 IT cybersecurity professionals across the US, UK, Australia, and Germany, a single cyber incident costs a sports organisation an average of $169,000. For the 57% of organisations targeted multiple times in the last 12 months, cumulative annual damages soared to as high as $1.7 million.
Security experts warn that the digital risk profile of major sporting events now closely mirrors national critical infrastructure rather than traditional commercial businesses.
Modern stadiums have effectively become interconnected “smart cities,” merging public Wi-Fi, ticketing systems, fan retail, and critical building operational technology like lighting and HVAC systems; and this convergence is a massive vulnerability.
Cybercriminals are increasingly exploiting weak network segmentation to move “laterally” through stadium environments. An attacker might gain access through a low-security entry point, such as an unpatched CCTV camera or a third-party vendor’s credentials, and navigate deeply into sensitive payment or operational systems.
This presents a nightmare scenario for operators, as 34% of IT professionals surveyed identified stadium operations during a live event as their most critical function to protect. Because sports events rely on strict live-broadcast schedules, attackers know that organisations have zero tolerance for downtime, giving hackers immense leverage during extortion or ransomware attempts.
The threat landscape is becoming further complicated by artificial intelligence and geopolitical tensions. Nearly three-quarters stated they believe AI will increase cyber risks over the next year.
According to Darktrace, attackers are using advanced AI to execute highly convincing social engineering and phishing campaigns.
The report also raises internal compliance alarms over “Shadow AI”, the unsanctioned use of public AI tools by employees. This practice risks leaking sensitive data, such as private athlete medical records, scouting intelligence, and confidential contract negotiations, into external, unsecured databases.
The report warns of a “World Cup Effect.” Cyber activity historically escalates alongside event visibility. With massive multi-national events like the upcoming 2026 FIFA World Cup on the horizon, the attack surface expands exponentially across different cities, countries, and fragmented security jurisdictions.
Darktrace emphasises that the sports industry must shift away from reactive incident responses and move toward structural cyber resilience. A call for immediate action recommends continuous vetting for supply chain vendors and partners, network segmentation, and Multi-Factor Authentication.
