Increasing Markets for Sports Betting Could Lead to Cybersecurity and Data Privacy Risks for Companies and Consumers

Currently, 33 states and the District of Columbia have legalized sports betting and wagering. In 22 of these states, online sports betting is permitted. Most of the country now has access to sports betting either online or in person.

Several state legislatures haven taken up the issue this legislative session. Kansas, South Carolina, Missouri, Maine and Massachusetts are five such states with recent developments.

• Kansas—On May 2, the Kansas legislature approved a measure that would allow individuals to place sports bets in person at state-owned casinos or at 50 other locations chosen by the four state-run casinos in the state. The bill would also permit online sports betting. The governor is expected to sign the measure into law in the coming days.
• South Carolina—The South Carolina legislature is currently considering a bill that would allow online and in-person sports betting. The bipartisan bill was introduced in the House on April 21. If the legislature would like to enact the measure this session, it will need to do so before the end of the legislative session on May 12.
• Missouri—The Missouri legislature is poised to pass a bill that would permit online and in-person sports betting. The bill has already passed the Missouri House and will likely pass the Senate in the coming days.
• Maine—On May 2, the Maine governor signed into effect a law that legalizes online and retail sports betting.
• Massachusetts—In Massachusetts the House and the Senate have each passed a bill that would allow for online and in-person sports betting in the state. The two bills differ, however, as the House version permits betting on college sports while the Senate version prohibits it. Lawmakers will need to reach a compromise on this provision before sending the legislation to the Governor for approval.

California voters will consider whether to bring sports gambling to their state this November in a voter referendum. Two ballot initiatives have already garnered enough signatures to be put to a vote this fall. The first would legalize in-person sports betting at regulated establishments. The second would legalize online sports betting in the state. Each ballot must be approved by a majority of California voters to become law.

Cybersecurity and Data Privacy Risks Associated with Sports Betting

As sports betting becomes more pervasive, so do the cybersecurity and data privacy vulnerabilities that the industry presents. When placing a sports bet, bettors are required to disclose a large amount of personal information. This can include the individual’s date of birth, Social Security number, physical address, email address, financial and banking information, and location data.

In addition to the data that users contribute to place bets, the platforms used to place bets also use and generate a lot of data about the sports themselves. Most sports betting platforms allow bettors to bet on a wide variety of events such as which team will win the game, the score of a game, the performance of a certain player and whether a game will go into overtime. These bets remain open throughout the game, and the odds are driven by data. The data used to calculate these odds include statistics relating to the performance of the players and teams, the composition of the league, the time in the season which games are scheduled and other factors. The privacy and integrity of this data is crucial to a properly regulated sports gambling industry. If this data is compromised, it could have drastic effects both for bettors and for the integrity of the sports betting industry.

Due to the sensitive information that sports betting technology holds, these systems are ripe for cyberattack. Across the board, cyberattacks are on the rise. The highly valuable personal information held by sports gambling providers makes these companies ripe targets for malicious cyber actors. Malicious cyber actors have already executed hacks of similar gambling operations, such as lotteries and casinos, to access this type of information. In 2016, the United Kingdom’s national lottery was hacked, and more than 26,500 online lottery accounts were compromised. As a result of this attack, malicious cyber actors gained access to personal information of those individuals whose accounts were compromised. In February 2020, MGM Resorts and Casino experienced a cyberattack in which 142 million individuals’ personal details were stolen and placed for sale on the dark web. Information accessed in the intrusion included private information about guests and players, including names, home addresses, phone numbers, emails and dates of birth. Moreover, there has already been one reported cyberattack on an online sports betting portal. In March 2020, the Oregon lottery had to shut down its online sports betting platform, SBTech Scoreboard, due to a suspected breach. Ultimately, no information was compromised in the attack because SBTech was able to take its systems offline and resolve the intrusion before the hackers accessed any of this data.

Best Practices for Cybersecurity and Data Privacy

States and companies that are operating sports betting platforms should invest in implementing cybersecurity and data privacy best practices. Cybersecurity best practices for these organizations align with general cybersecurity best practices and can include:

• Following best practices policies and procedures issued by government agencies and industry groups;
• Creating proactive connections with law enforcement agencies and third-party cybersecurity providers;
• Having in place cybersecurity incident response policies and procedures;
• Utilizing threat intelligence services (both public and private) to manage emerging threats;
• Adopting a “zero-trust” cybersecurity model so that there is equal importance placed on both stopping attacks and recovering from them;
• Ensuring that executives, including board members, are briefed on cyber threats and cybersecurity measures;
• Mandating multifactor identification for users and employees;
• Employing endpoint detection and response technologies; and
• Investing in secure payment systems to process transactions.

Companies involved in sports betting should also be aware of any laws in their states that concern safe storage of data as well as their obligations to consumers in the case of a data breach. Many states’ data privacy regulations will cover obligations in both instances.

The bottom line is that cyber criminals—like any other criminals—follow the money. It follows, then, that the massive increase in sports betting across the United States is bound to attract hackers looking to steal funds and disrupt platforms. Venue owners and operators as well as sports betting platforms should be taking steps now to minimize the possibility of suffering cyberattacks.