National Football League fans across the U.S. have started clicking into daily fantasy sports websites to predict how professional players will perform in actual, on-field games. But if the operators of daily fantasy sports websites aren’t careful, consumer trust and brand loyalty may be at risk due to increased cybersecurity perils, privacy and cybersecurity professionals told Bloomberg BNA.
Gone are the street bookies who jotted down track bets on note pads and knew their clients personally. The biggest risk in that world of underground gambling came from vice squads or bookies who couldn’t pay off winning bets.
With fully public daily fantasy sports—represented by industry leaders Boston-based DraftKings Inc. and New York-based FanDuel Inc.—the greatest risk to betting comes from hackers drawn like magnets to the millions of dollars changing hands and the massive amounts of sensitive consumer and payment card data, the privacy and security pros said.
Daily fantasy sports are an online game in which participants wager on the individual performances of players, instead of a full team, and try to beat the odds against hundreds of other players in prize pools. The winnings of each game depend on the amount of participants and the entry value of each team.
The daily fantasy sports industry is the “intersection of tech, money and personally identifiably information (PII),” Fred Rica, principal and U.S. Cyber Defense Leader at consulting company KPMG in New York, told Bloomberg BNA. That intersection “is part of a perfect storm, a bull’s-eye for someone that is going to go after you because of the valuable information you possess,” he said.
John Miller, threat intelligence manager at Reston, Va.-based cybersecurity company FireEye Inc., agreed that the daily fantasy sports sites are “ a prime target.” Cybercriminals “take significant interest in online gaming- and betting-related services of all types,” he said.
Bad actors may try to manipulate daily fantasy sports data to reach more favorable outcomes to increase hacking profits and poke holes in the companies’ cybersecurity, Rica and Miller said.
Daily fantasy sports companies should employ data security best practices and constantly monitor and track cybersecurity risks to avoid having to shut down their sites. In addition, they should take those measures to avoid costs associated with class actions, the privacy and cybersecurity professionals said.
Popular Sites Rake in Money, Data
According to a report by Santa Ana, Calif.-based gaming research company Eilers & Krejick Gaming LLC, privately-owned DraftKings and FanDuel are the most popular daily fantasy sports websites in the U.S. The daily fantasy industry in 2015 raised $290.57 million in revenue in the U.S., with FanDuel and DraftKings accounting for $174 million and $106 million in revenues respectively, the report said.
Those yearly revenues wouldn’t put FanDuel or DraftKings in the top 10 largest consumer-facing online companies, but they are backed by some large tech, sports and entertainment enterprises, Alphabet Inc., Comcast Corp. and Time Warner Inc. invested in FanDuel, while Fox Sports Inc., Major League Baseball, National Hockey League Inc. and Major League Soccer LLC invested in DraftKings, the report said.
As the industry continues to grow, other providers that engage in fantasy sport wagering, such as Yahoo! Inc., will increase market competition and cause industry revenues to grow into the billions, the report said.
The millions of dollars in new revenue would make the daily fantasy sports industry an even more attractive target for hackers.
Troves of Sensitive Information.
Like any consumer-facing company with troves of PII and other sensitive data, daily fantasy sports companies face a constant barrage of cybersecurity threats.
It isn’t only the credit card and other financial data that makes fantasy sports sites attractive to hackers, Jeffrey M. Schlossberg, principal and member of Jackson Lewis PC’s Privacy, e-Communication and Data Security group in Melville, N.Y., told Bloomberg BNA. The sites are a target based on the sheer volume of consumers data they collect, including Social Security and driver’s license number, he said.
The financial data in combination with the PII makes the websites even more appealing to cybercriminals, Schlossberg said.
Rica said that taking down a daily fantasy website on a Sunday morning when NFL games are played would be a tremendous monetary loss for the industry.
Miller said that “one of the most common techniques” that hackers use against daily fantasy sports websites “is compromising user accounts and transferring out any value holdings,” such as “stealing a players’ earnings.” These kinds of attacks are also very common in mobile gaming, he said. Criminals steal and sell virtual items from compromised accounts and transfer any profits.
A DraftKings official, speaking on background, told Bloomberg BNA that the company faces the same threats that other e-commerce websites face. Any “website that has a public point of presence should be concerned about denial of service attacks and other zero-day exploits,” the official said.
To limit attacks against DraftKings, the official said the company imposes strict guidelines on who can access sensitive information. DraftKings only “grants access to the right people and only through an intensive credential process,” the official said. All requests to the sensitive information “must be approved by a vice president or executive and from day one everyone has zero access and get permissions on a case-by-case basis,” the official said.
A FanDuel spokeswoman told Bloomberg BNA that the company protects customers’ sensitive information and payment card data using “a variety of security technologies.”
Gaming the System.
Rica said that hackers may be able to “track current bets and try to game the system a little bit.” If they are able to “understand certain algorithms and modify points or player values it could make it advantageous” to rig the system, he said.
Trying to influence online gaming is almost like insider trading or “shorting the stock market” off of manipulated data, Rica said. “You have to believe bad guys are going to after the data,” he said.
Miller said that to hide the money that hackers steal, they may conceal the funds in the same or other daily fantasy sports websites “to launder illicit funds.” Instead of immediately moving the money off the betting platforms, “a malicious actor could use the accounts to fund betting pools won by the actor at some predictable rate,” he said.
However, many hackers probably won’t launder their money through daily fantasy sports because it is a complicated scheme and much harder than simply stealing the funds, Miller said.
Class Action Risk.
Rica said that although “there is no such thing as 100 percent security,” companies should try “to make it easy for the consumer to play yet provide protection of their sensitive data.”
To protect consumer data, daily fantasy sports companies should implement a program that “communicates to customers how they handle and protect data,” he said. As part of the program, companies should have a plan in place that details how they “collect, store and dispose of PII, manage the identities of customers, limit who has access to which data and stay on top of threats and threat actors,” Rica said.
Due to the mix of consumer and credit card payment data collected, daily fantasy sports websites may have a higher risk of class actions. The daily fantasy sports industry “is ripe for more litigation, particularly if there is a big loss or fraud,” Rica said. In the event “someone covers up a massive fraud, there is going to be a lawsuit,” he said.
Both DraftKings and FanDuel have been subject to lawsuits alleging fraud and false advertising. These companies faced scrutiny in 2015 after it was found that employees were making bets on the sites using internal information not available to the public. Both companies issued separate statements saying that the information wasn’t leaked to outside sources and that employees are no longer able to make bets.
Although the actions weren’t illegal, if the information had fallen into the hands of hackers or sold on the dark web the repercussions and loss of player winnings could have reached into the millions.
To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com
To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com