Cybersecurity: What did the International Olympic Committee Learn from One of the Biggest Cybersecurity Disasters in History?

Reading Time: 8 minutes

Every four years, the world’s greatest athletes come together for one purpose… to capture Olympic Gold. Though the Olympics is a symbol of global peace and unity and has been since its inception, malicious actors are using it to hijack your data and make a handsome profit in the process.  

Olympic cyber assaults have been increasing rapidly over the past 10 years. Everyone’s a target – athletes, coaches, attendees, vendors, your 13-year-old niece – everybody. 

Take it from someone who knows. Sager Samtani has led research centers, published countless journals, and spoken on various industry-wide stages around Cybersecurity and Cyber threat intelligence over his well-decorated career. Samtani, who currently serves as the Assistant Professor and Grant Thornton Scholar in the Department of Operations and Decision Technologies at the Kelley School of Business at Indiana University, asserts that reputation is everything to cyber threat actors including their “…reputation within their community [and] reputation across different communities…” Though reputation is one of their primary driving forces, it isn’t the only one. Hackers are also highly motivated, according to Samtani, to make money. 

Catastrophic cybersecurity fallout was on full display at the 2018 Pyeongchang Winter Olympics. That year, the Olympic Games fell victim to a strategic virtual raid. This caused the Internet Protocol televisions (IPTV) to malfunction, the main servers to shut down (attendees couldn’t access their tickets), a Wi-Fi outage in the Olympic Stadium, and drone’s incapable of capturing media footage. The negative aftermath was devastating and something that the International Olympic Committee (IOC) was desperate to avoid ever again.  

As a result, the 2020 Tokyo Summer Olympics’ (held in 2021, due to COVID-19) cybersecurity plan was viewed as nothing less than a success story. The IOC and local organizers identified their security vulnerabilities, created a plan to strengthen their cyber defenses, and then implemented it. The IOC also hired a cybersecurity firm, which included a dedicated team of 200 cybersecurity specialists. In short, this collaboration of experts thwarted over 500 million cyberattacks, which was 2.5 times the number of attempts than the 2012 London Olympics. 

What types of cyberthreats should home spectators be on the lookout for? 

This is a great question for Mike Spotts, the Chief Operating Officer of the Cyber Defense Labs in Dallas. His team was responsible for mitigating phishing, malware, distributed denial of service, and other cyber threats at the last Olympic Games. He points out that in addition to targeting the Olympics website, hackers  use a variety of tactics including fake emails, websites, and bogus streaming platforms to steal confidential data.  

An example of a fake website offering bogus online streaming services during the Tokyo Olympics.

(NBCDFW news, February 2022)  

In fact, according to Spotts, up to 80% of Olympic-related websites are scams. His advice is to, “…try to slow down and review the Olympic-related links or emails that you’re seeing or being sent. If they look off or odd — or they look too good to be true — they usually are.”  

Remote spectators should remain on high alert for fake internet pop-ups that lead to phony Olympic merchandise, streaming opportunities, and other frauds. Again, when in doubt, don’t engage.  

What does it take to provide a safe and secure virtual environment for the Olympics? 

Currently, hundreds of cybersecurity staff monitor the Olympics IT environment daily to mediate all threats. Spotts elucidates that, “…the Olympic website alone can see tens of thousands of malicious requests per second….” To say the least, their team has their work cut out for them. 

If you’re considering running an event of Olympic magnitude, it’s important to place cybersecurity planning as one of your top priorities.  

Here are the questions that Spotts recommends asking when you’re developing a cybersecurity plan: 

  • Does the location venue need to be upgraded or build supporting infrastructure? 
  • How many servers and applications are required to house confidential data? 
  • Do the existing network support thousands of high-speed internet connections that are transmitting millions of data to billions of people to watch and take part in? 

What’s the next, biggest cybersecurity risk facing the Olympics?  

It’s the My 2022 Beijing Winter Olympics app. All athletes, press media, and attendees are required to both install and enter their personal information in the app.  

A Citizen Lab report revealed that the My 2022 Beijing Winter Olympics app asks for users’ private data but then doesn’t properly secure it. It appears that a flaw in the app’s encryption system makes it easy for bad actors to access users’ documents, audio, and files in cleartext form. 

The researchers also found that the app collects a large amount of sensitive information including: 

  • Real-time location 
  • List of installed apps 
  • Audio information 
  • Location access 
  • Device Identifiers 
  • WLAN status 
  • Complete passport information 
  • Daily health status 
  • COVID-19 vaccination status 
  • Demographic data 
  • Organization the user works for 

Chinese officials claim that all the above data is necessary to enable COVID-19 protection controls, translation services, navigation, and tourism recommendations. The app makers even disclose the data they capture in the privacy policy. However, the issue remains that, according to Citizen Lab, “the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.” 

 Unsurprisingly, on February 4, 2022, the FBI addressed the My 2022 app privacy risks in a private industry notification (PIN). They advised participants and travelers to install the My 2022 application on temporary devices only and to leave their personal cell phones at home. The PIN also warned of other potential cyber threats including ransomware, malware, phishing campaigns that were becoming increasingly common at the Olympics.  

Again, whenever possible, avoid using apps that collect your confidential data yet fail to meet security standards set by global cybersecurity leaders. This just goes to show that threat actors are everywhere so it’s important to protect yourself from becoming their next victim. If you’re looking to learn more about how to secure your confidential data both in and out of the office, learn more about our services here