SA's sports industry has become an attractive target for cyber criminals, who know it handles large volumes of data but relies on weak cyber defences. Cyber security and risk assessment experts warn of a rise in more sophisticated and damaging attacks.
Risk insurer iTOO Special Risks cites the 2023/24 Cybersecurity Exposure Index, introduced by the Council for Scientific and Industrial Research (CSIR) and the Department of Communication and Digital Technologies, which found that 88% of South African organisations reported at least one breach, and nearly half experienced between one and five incidents in a year.
“These are automated, opportunistic sweeps looking for weak passwords, outdated systems or unsecured databases," says Sarah Watson, cyber underwriter at iTOO.“If a club holds data, it is a target.”
Even modest clubs hold rich personal information – ID numbers, contact details, medical records, emergency contacts and payment records – that fuels identity theft, social engineering and financial fraud, the company says.
“Criminals don’t care whether a club has 50 members or 5 000; they care about the quality of the data and the ease of access," says Watson. "Online entry systems, membership portals and payment platforms designed for convenience are equally convenient for attackers.”
Weak authentication, unchanged passwords and outdated plugins make these systems easy to compromise, says iTOO. Once inside, criminals can steal data, lock out administrators or disrupt events by shutting down entry systems at critical moments.
Rising financial fraud
Business e-mail compromise (BEC) continues to hit SMEs and community organisations, with criminals intercepting or imitating invoices. A single fraudulent payment for kit orders, timing services or venue hire can wipe out a club’s annual budget.
As e-mail awareness improves, attackers are shifting to mobile scams. WhatsApp impersonation has surged, with criminals cloning profiles and mimicking writing styles to create urgent payment requests.
“Clubs rely heavily on WhatsApp, and attackers know that. Mobile platforms make verification harder,” Watson says.
SA is among Africa's most targeted countries for ransomware. The CSIR estimates cyber crime costs the economy R2.2 billion annually, with ransomware among the costliest forms.
Watson says modern attacks involve “double extortion”: criminals steal data before encrypting systems, then threaten to leak it unless paid. For clubs, this could mean locked membership databases, threats to publish personal information, or race entry systems taken offline before events.
“Reputational fallout can be even more damaging than financial loss," she adds. "A breach erodes trust, and trust is the foundation of any community organisation. Members may hesitate to share personal information, sponsors may reconsider their involvement and participants may avoid events associated with poor data protection.”
“An uncomfortable truth is that sport has professionalised commercially and digitally far faster than it has secured itself.”
Anna Collard, SVP, content strategy and CISO advisor at KnowBe4
Most clubs rely on volunteers using personal laptops, shared passwords and unsecured WiFi, says iTOO. Websites and plugins are often outdated, backups inconsistent and POPIA compliance uneven. Human error – responsible for 95% of global breaches – is amplified when volunteers juggle multiple responsibilities.
Watson advises organisations to: centralise member data on secure cloud platforms; enable multi-factor authentication; train volunteers to spot phishing and verify banking details; maintain regular backups; use secure payment processes; and consider cyber insurance.
Under POPIA, organisations face fines of up to R10 million and must notify every affected individual after a data breach. “For a club with a few hundred members, notification alone can exceed R1 million. Cyber insurance provides expert incident response, legal support and financial protection,” says Watson.
“When something feels urgent, unusual or too good to be true, pause. Most cyber incidents begin with a moment of pressure or convenience. A single click or rushed payment can trigger months of damage. Cyber criminals rely on speed; clubs can protect themselves by slowing down.”
Soft target
Anna Collard, SVP of content strategy and CISO advisor at KnowBe4, says sport is driven by human emotion and behaviour, which criminals exploit.
“Sporting bodies sit on a deep pool of data and their defences often lag. But the more interesting story is behavioural: sport runs on precisely the emotions social engineers exploit – passion, urgency, loyalty and trust. A fan chasing final-match tickets, an official rushing a transfer payment, a volunteer treasurer working off a personal laptop after hours – these are moments of heightened emotion and time pressure, which is exactly when human judgment degrades and people click. That’s why the dominant threats here aren’t exotic.”
She adds that BEC remains the single biggest global risk to sports organisations. In one documented case, an English Premier League club was spear-phished during a £1 million transfer negotiation.
“What we’re seeing now is volume plus legitimacy: recent threat data shows sports organisations receive materially more phishing than other sectors, much of it passing standard authentication because attackers abuse trusted platforms rather than spoofing domains. For South Africa, the risk is amplified. Most of our clubs and federations are under-resourced and volunteer-run, while attackers increasingly run automated, opportunistic sweeps. If a club holds data, it’s a target, whether or not anyone chose to target it. An uncomfortable truth is that sport has professionalised commercially and digitally far faster than it has secured itself.”
Lionel Dartnall, country manager for SADC at Check Point Software Technologies, says trust and close relationships within sporting communities are also a prime vulnerability. “Cyber criminals exploit these trusted relationships through impersonation and social engineering. For instance, an e-mail from a 'club chairperson', an urgent payment request via WhatsApp from a 'coach' or a fake tournament link shared in a group chat is often accepted without the scrutiny typical of a corporate environment.”
He urges organisations to foster a culture where verification is seen as good governance, not mistrust. “By combining cyber-aware people, robust governance, secure identities, protected e-mail, resilient technology and a culture of verification, South African sports organisations can dramatically reduce their exposure to scams and cyber attacks while preserving the trust that defines them.”

