Chapter 08 — Cybersecurity, Privacy, and Risk Management#

Sports Context#

Game Day Crisis#

Jordan Matthews walked into Portland Thunder headquarters on what should have been one of the most exciting mornings of the season. The team had just made the playoffs for the first time in a decade — tonight’s sold-out home game against their division rivals had 18,000 fans expecting to attend.

Technology director Alex called: “Get down to the IT office immediately.” The ticketing platform was down. The fan database was inaccessible. The attacker had stolen sensitive data including season ticket holder credit card information and player contract details.

Cybersecurity had always seemed like something IT handled behind the scenes. Now, with 18,000 fans expecting entry in twelve hours, Jordan realized this was fundamentally a business crisis threatening the team’s reputation, revenue, and relationship with fans. A phishing email to a sales team member — disguised as a playoff ticket request — had cascaded into catastrophe.

Understanding the Breach#

Owner Patricia assembled the leadership team. Technology director Alex explained the CIA Triad — the three pillars of security: Confidentiality (only authorized staff access fan credit cards and player medical records), Integrity (fan ticket seats and player injury reports remain unaltered), and Availability (fans can purchase tickets and access the mobile app on game day).

“Right now we have lost all three.” The malware — malicious software designed to disable systems — had encrypted files. Fans couldn’t access digital tickets. Turnstiles wouldn’t work. Concession and merchandise POS systems were offline.

Attackers exploited a vulnerability — an unpatched security weakness in the legacy ticketing system. The threat was a criminal group known for targeting sports and entertainment organizations.

The Thunder had never formally implemented risk management for cybersecurity — the process of identifying, assessing, and mitigating threats — despite having it in place for player injuries and stadium safety.

What Should Have Been in Place#

Alex outlined missing defenses using a basketball analogy: “You don’t rely on just one defender. You have help defense, weak-side rotations, backup coverage. Cybersecurity needs the same layered approach.”

Encryption — converting data into a coded format readable only with the correct decryption key — would have made stolen fan credit cards useless. Like a safe: even if thieves break in, they can’t access contents without the combination.

Multi-Factor Authentication (MFA) — requiring multiple forms of identity verification — meant both a password and a phone-code. Jordan had MFA on personal banking and streaming services. Why hadn’t the Thunder mandated it for employees accessing fan payment data and player contracts? Convenience had won over security.

Missing: employee security training for phishing from ticket brokers or sports agents, automated anomaly detection, timely software patches, and isolated backup systems.

Recovery: The Playoff Game Goes On#

Patricia refused to pay the $3M ransom. Offsite backups existed — 48 hours old, but restorable. This illustrated Business Continuity Planning (BCP) — developing procedures so the organization can continue operating during disruptions.

Jordan was assigned the business continuity response. The game proceeded with manual processes: printed ticket lists, cash-only concessions, paper credential verification for media. Chaotic — but 18,000 fans were not turned away.

Financial impact: $1.2M in recovery, legal fees, notification, and lost revenue. Several season ticket holders didn’t renew. Patricia created a new Chief Information Security Officer role — and appointed Jordan.

The Cultural Shift#

One year later: phishing click rates dropped from 40% to 5%. Vulnerabilities reduced 85%. Player agents cited the Thunder’s security posture as a positive factor in contract negotiations. Fan trust was rebuilt. Security became everyone’s job.

“Cybersecurity is everyone’s responsibility. Whether you work in ticket sales, marketing, player development, or facilities — you handle sensitive information people trust us to protect.”

Backward Business — Chapter 08 Fashion — Chapter 08 Forward