Manchester City Football Club is currently investigating a potential breach of its web-based player scouting system. Scout7, the software solutions provider, have vindicated themselves, claiming that the breach “involves use of valid passwords obtained from the Club”.
It is understood that the Club have confirmed a number of high-level signings in the past few weeks and it’s thought that this was in order to alleviate the potential extent of the breach.
A Premier League chief scout told Sunday People Sport that access to a club’s scouting databases by a rival club would be “catastrophic”. The scout added that the information contained on a club’s private Scout7 system “can range from the obvious about their technical and football ability but also to more sensitive detail about financial aspects of any possible deal or personal information about the background and character of a player.”
The word ‘catastrophic’ is usually quantified at the top end, most critical point of any scale, so this should prompt an appropriate security posture, especially with signings of players costing in the region of £30 Million. With the inclusion of ‘personal information’, potentially of players as young as 16 (or perhaps even younger if the system includes information on apprentices), clubs not only have a business requirement to keep their information secure, but also a duty to the individuals under the Data Protection Act 2000.
Speculation by Infosecurity Magazine suggests that single-factor authentication (user password) is the likely level of security offered to City’s private scouting site (and probably those of “75% of English Premier League Clubs and more than 50% of Clubs in the top Leagues of France, Germany, Netherlands and Spain”). Scout7’s comment indicating a club-based password breach suggests exactly that.
Scout7 is marketed as a “private and secure web-based system”, which, with single-factor authentication, we believe is sufficient only where the loss or theft of business information is unlikely to have financial or reputational repercussions. However, when business deals in the tens of £Millions are taking place each month, and rivals, the press and the certain members of interested public will often tirelessly seek to get an upper hand, we believe one password (single factor authentication) is far from adequate.
We recently released a Blog about Twitter and their culpability for a reputational / political breach concerning The Associated Press’ @AP Twitter account. In response to the breach, Twitter promptly corrected their flaw by introducing a facility for two-step authentication. We believe the move by Twitter was a credible solution for what had been an ongoing issue and, if used correctly, will vastly improve the security of a large proportion of the Twitter community.
Like Twitter, it seems that the Scout7 system is the system of choice for its wide and distinguished user-base, but we believe such a wealthy user-base would hardly bat their collective eye-lid at the thought of a slightly more expensive, but considerably more secure system offering a two-step authentication facility for the protection of their highly confidential scouting information.