< Back to Blog
Touchdown! Measuring External Cyber Posture and the NFL Hack
Research

Touchdown! Measuring External Cyber Posture and the NFL Hack

By Elad Shapira Jan 30, 20203 min read

This week, sports fans reacted with disbelief when it was discovered that 15 NFL teams’ social media accounts were hacked. Those targeted included the two teams that will play in the Super Bowl LIV Championship match on February 2, the Kansas City Chiefs and the San Francisco 49ers.

In addition to the Super Bowl contenders, the following teams were hacked as well:

  • Arizona Cardinals (Twitter account)
  • Buffalo Bills (Instagram and Facebook accounts)
  • Chicago Bears (Twitter account)
  • Cleveland Browns (Twitter account)
  • Dallas Cowboys (Twitter, Facebook, and Instagram accounts)
  • Denver Broncos (Twitter account)
  • Green Bay Packers (Twitter account)
  • Houston Texans (Twitter account)
  • Indianapolis Colts (Twitter account)
  • New York Giants (Twitter account)
  • Minnesota Vikings (Instagram account)
  • Philadelphia Eagles (Twitter account)
  • Tampa Bay Buccaneers (Twitter account)

The Cause

The group that claimed responsibility for the hacks is known as OurMine, which has also hijacked social media accounts of high-profile celebrities and companies such as Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey and Google CEO Sundar Pichai.

According to ZDNet, the group said in previous interviews that they used leaked passwords from data breaches to gain access to accounts on other websites. If this is indeed how they succeeded in hijacking the NFL social media, then this attack might have been prevented by

  • Changing passwords regularly
  • Avoiding re-use of the same password
  • Choosing more complex passwords
  • Adding two-factor authentication

But were there any warning signs that this could happen?

The Indicators

In September 2018, Panorays conducted research to determine the cyber posture of all the NFL teams. We did this by evaluating the attack surface of the teams to uncover cyber gaps, in the same way that a hacker would perform reconnaissance on a possible target.

In light of the recent hack, we thought it would be interesting to check our findings to see if any patterns could be found. We wanted to know: Was there any indication in 2018 that some of the teams might be less likely to be targeted?

We found out that the answer was yes.

The Results

In September 2018, Panorays listed five teams that had received the highest cyber posture scores. They included:

  • Kansas City Chiefs
  • New York Jets
  • Miami Dolphins
  • Los Angeles Rams
  • Pittsburgh Steelers

All five teams received a cyber posture score of at least 82, which was well above the average NFL team cyber posture rating of 79. Four out of five of these teams were not hacked. 

The one outlier was the Kansas City Chiefs. However, we discovered that much has changed for the team since we released our research: The Chiefs’ cyber posture rating dropped nearly 20% since then. In addition, the average NFL team cyber posture score fell as well, from 79 in 2018 to 72 in 2020.

The steep drops in cyber posture ratings underscore why it’s so important to not only thoroughly assess cybersecurity, but to continuously monitor for any changes.

Bottom Line

These findings clearly illustrate the accuracy of the Panorays third-party assessment method. Using Panorays, companies can get a comprehensive 360-degree view of cyber posture while continuously monitoring for changes in security.

Interestingly, Panorays also predicted in 2018 that the Chiefs would be the winning team. Will this turn out to be the case? We will find out on Sunday!

Find out how one company mitigated the security risk of a third party prior to a supply chain attack. 

humbnail
Elad Shapira

Elad Shapira is Head of Research at Panorays. As a cybersecurity lecturer and self-described geek, he likes hardware hacking, low level development, playing Capture the Flag and making and breaking things.

You may also like...
DishSnitch: The Who Left Dirty Dishes in the Sink” Detector”
Dec 19, 2019 DishSnitch: The Who Left Dirty Dishes in the Sink” Detector” Elad Shapira
Tips for Your Vendor Security: Closing the Most Common Cyber Gaps
Oct 31, 2019 Tips for Your Vendor Security: Closing the Most Common Cyber… Elad Shapira
Fourth-Party Security: Another Level of Security Management
Jun 18, 2019 Fourth-Party Security: Another Level of Security Management Elad Shapira
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.