What cyber lessons can be learned from the Paris Olympics?
As Australia celebrates its most successful Olympics in history with athletes like Kaylee McKeown and Jess Fox leading the charge in taking home the golds, it's also worth reflecting how this year's Olympics performed in the arena of cyber security. Major global events like the Olympics have always been a huge target for cyber criminals. The 2021 Tokyo Olympics saw 450 million attempts of cyberattacks. Paris was expected to receive 8 to 10 times more cyberattacks than Tokyo according to Marie-Rose Bruno, Director of Technology and Information Systems for the Paris Games.
The Paris 2024 Olympics, however, proved to be quite resilient. The French government cyber security agency ANSSI has revealed the event reported 140 low-impact cyberattacks, none of which disrupted the competition. While the organisers put in tremendous effort and got many things right to uphold the games, fraudulent ticket websites and risks around third-party security still raised concerns, underscoring the relentless threat posed by malicious actors seeking to disrupt, steal data, or spread misinformation.
One of the Paris Olympic venues, the Grand Palais, and around 40 other museums in France did fall victim to a ransomware attack in early August. Cybercriminals targeted the system used to "centralise financial data" with attackers demanding a ransom.
Therefore, as Australia gears up for major events like the Melbourne Cup, the Australian Open, and eventually the Brisbane 2032 Olympics, what lessons can be learned from Paris 2024?
What went right? Preparedness, endpoint detection and real-time response
France reportedly worked to counter emerging cyber threats and major attacks targeting the games for nearly three years ahead of the event, teaming up with cyber defence agencies from around the world and collaborating with the private sector to safeguard the games and the public.
To bolster cybersecurity for the Paris 2024 Olympics, France invested over €10 million in a program managed by ANSSI which aimed to protect critical infrastructure and systems. This program provided technical support, threat detection and response plans and involved deploying advanced security measures like endpoint detection and response systems.
This approach was critical for not only drastically reducing the number of overall cyberattacks but also in ensuring that none of them became a serious problem. Amongst the 140 reported cyberattacks, only 22 incidents involved "a malicious actor" successfully targeted a victim's information system.
What went wrong? Fraudulent ticket websites and unsecure official partners
Despite a much better performance than the last Tokyo games, there were still several unsecure loopholes which left the public vulnerable. For example, ahead of the games, scammers capitalised on the high demand for tickets by creating sophisticated fraudulent websites that mimicked official platforms. These sites often appeared high in search engine results, tricking unsuspecting fans into purchasing fake tickets and compromising their personal and financial information.
Timeliness is a key consideration for cybercriminals, and we have seen them leverage real-time global events that have the attention of the wider world to launch credible, targeted phishing campaigns. High-grossing, in-demand events such as the Olympics, The Taylor Swift Eras Tour or the Euro 2024 tournament are the perfect hunting ground for cyber criminals who will exploit fans' desperate need for tickets or target new staff without proper training, causing victims to skip some of the scrutiny they might otherwise apply.
At Proofpoint, we exposed one such website, "paris24tickets[.]com," which claimed to be a secondary ticket marketplace and ranked highly in Google searches for "Paris 2024 tickets." French authorities ultimately identified 338 fraudulent websites, shutting down 51 and issuing warnings to 140 others.
Adding to the concern, a Proofpoint study also revealed that two-thirds of the Games' Official Partners lacked adequate email security measures to protect against domain impersonation, potentially exposing fans to email fraud. The study found low adoption rates of DMARC (Domain-based Message Authentication, Reporting and Conformance), a crucial email authentication protocol, across various stakeholders, including local authorities and ticketing platforms. Of the 77 Official Partners of the Olympic Games, only 26 (34%) actively protected their domain name with the strictest and recommended level of email authentication. This lack of protection meant fraudulent emails could easily have reached the public, putting consumers at risk.
Future event organisers should examine third-party risks, including partners' and vendors' cyber security postures, and ensure they are protecting themselves with the best technologies and processes possible ahead of the event.
Lessons for Australia's Future Events
France's proactive approach to cybersecurity demonstrates how effective preparation can significantly mitigate risks. By investing heavily in protective measures and fostering international collaboration, it is possible to mount a strong defence against the increasingly complex threat landscape. However, as Australia prepares for major events like the Brisbane 2032 Olympics, how can it bring the threat risk down even further?
- Proactive defence is key: Organisers must prioritise cybersecurity from the outset, implementing robust defences against a range of threats, including phishing attacks, malware, and DDoS attacks.
- Partner vigilance is crucial: All stakeholders, including sponsors, ticketing platforms, and vendors, must adhere to strict cybersecurity standards to avoid becoming weak links in the chain.
- Empowering fans: Public awareness campaigns are essential to educate fans about online threats, encouraging them to purchase tickets from official sources and be wary of suspicious emails or websites.