Cyber Incident Victim: Manchester United F.C.
Date:
Nov 2020
Location:
United Kingdom
Summary
Manchester United F.C. experienced a cyber extortion attack disrupting IT systems, including confidential scouting data and email operations. The club contained the incident with expert assistance but faced speculation of ransomware involvement, potentially linked to Ryuk or Emotet malware. Media reports suggested a multi-million pound ransom demand, though no official details were confirmed. The breach risked significant fines under UK data protection laws and US sanctions implications if payments were made. The attack mirrored broader trends targeting sports organizations, emphasizing vulnerabilities in critical infrastructure and data security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 20, 2020, Manchester United F.C. publicly confirmed a cyber attack had compromised its IT systems, forcing the club to implement containment measures and engage external cybersecurity experts to investigate the incident and minimize disruptions. The attack caused significant operational IT disruptions, though the club did not specify the exact nature or duration of these disruptions in its initial statement. Subsequent media reports by the Daily Mirror and Daily Mail on November 28 and 29, 2020, revealed that attackers had accessed the club’s scouting system, obtaining confidential information about player targets and scouting missions. Multiple UK newspapers additionally reported the club’s email system remained non-operational following the attack. Manchester United declined to disclose technical details about the attack vector, malware involved, or suspected perpetrators, stating it would not comment on speculation regarding responsibility or motives. The incident occurred amid heightened targeting of UK sports organizations by cybercriminals, as evidenced by a July 2020 National Cyber Security Centre (NCSC) report warning of ransomware campaigns against sports entities. That NCSC report referenced an unnamed English Football League club that suffered a ransomware attack disrupting turnstile operations and nearly causing a match cancellation, with attackers demanding 400 Bitcoin (over £300,000), which went unpaid.
The cyber attack exposed Manchester United to potential regulatory penalties under the UK Data Protection Act (GDPR), with fines of up to £18 million or 2% of global annual turnover possible if fan data was compromised. As a New York Stock Exchange-listed entity, the club also faced potential US sanctions fines of up to £15 million ($20 million) if it paid any ransom demand, per warnings from the US Office of Foreign Assets Control (OFAC) about the risks of funding sanctioned threat actors. Media outlets speculated the ransom demand could reach millions of pounds, drawing parallels to the NCSC’s report of a £5 million ransom demand against another football club. Manchester United did not confirm whether it received or negotiated any ransom demand, nor did it disclose financial losses from operational disruptions or recovery costs. The NCSC’s earlier report had noted attackers potentially gained access to football clubs via phishing emails or compromised CCTV-linked remote access systems, though no equivalent ingress method was confirmed in Manchester United’s case. Ongoing IT disruptions persisted beyond the initial containment efforts, particularly affecting email systems and scouting operations, though the club maintained public silence on remediation progress beyond its initial statement.