A series of disclosures about "dirty deals" at FIFA have been published after internal documents from the football governing body were leaked to the press.
The revelations are based on information accessed by the Football Leaks organisation, which handed more than 70 million documents and 3.4 terabytes of data to German magazine Der Spiegel for analysis.
The trove contains evidence that some of Europe's top clubs plan to break away from UEFA and form their own "super league", and that FIFA President Gianni Infantino helped Manchester City and Paris Saint-German avoid punishment for financial fair play rules and "secretly worked to weaken the global football organisation's code of ethics".
Der Spiegel claims that the material comes from a Portuguese football fan identified only as "John", whose disgust with corruption in the sport led him to found Football Leaks and become a whistleblower.
John told Der Spiegel that he got the documents from a network of sources and "stresses that neither he nor any of his comrades-in-arms is a hacker", but critics doubt that he could have accessed such a breadth of documents from a variety of organisations without someone conducting a cyber attack.
Prior to the publication of the leaks, FIFA officials admitted that their computer systems had been hacked in March, and that they expected a series of stories in the news media would follow.
On 31 October FIFA president Gianni Infantino told the Associated Press that media outlets had contacted the organisation about leaked information they had received.
"The questions we received, we answered," he said. "My job entails having discussions, having conversations, exchanging documents, drafts, ideas, whatever, on many, many, many, many, topics. Otherwise you don't go anywhere.
“I mean, if I just have to stay in my room and not speak to anyone and cannot do anything, how can I do my job properly? So if then this is being portrayed as something bad, I think there’s not much I can do more than my job in an honest way, in a professional way and trying to defend the interests of football."
Two days later, Der Speiegel published its first reports based on the leaked documents. FIFA responded to the allegations in a statement, arguing that the reporting was an attempt to weaken the organisation's new leadership and that none of the reports contained evidence of crimes.
"Four weeks ago, a group of journalists sent several hundred questions to FIFA, based on private and internal e-mails and other information which had been accessed (illegally) by third parties," it read. "Despite the fact that we answered the questions posed to us in a straight-forward and honest manner, certain media decided to ignore most of our answers and to distort both the facts and the truth in a deliberate attempt to discredit FIFA and to mislead their readers.
"This is evident. It seems obvious from the 'reporting' carried out in some media outlets that there is only one particular aim: an attempt to undermine the new leadership of FIFA and, in particular, the President, Gianni Infantino, and the Secretary General, Fatma Samoura ... For the avoidance of doubt, it also deserves to be pointed out that NONE of the 'reports' contains anything which would even remotely amount to a violation of any law, statute or regulation. This is, beyond question, an immeasurable improvement on the past and something which FIFA is fully committed to going forward."
A phishing campaign is the suspected cause of the hack, which FIFA claims occurred in March, just months after it was the victim of another major cyberattack, which led Russian hacking group Fancy Bears to leak details of failed drug tests by footballers.
Tim Sadler, the co-founder and CEO of email security startup Tessian said the hack appears to be the result of a "classic phishing scam" that duped an unassuming employee.
"Within an organisation that employs thousands of individuals like FIFA, there are thousands of human vulnerabilities for attackers to target and exploit and huge swathes of highly valuable data to exfiltrate," he said.
"To minimise the risk of falling victim to this phishing attack – and any other kind of phishing scam – it is important that FIFA's employees are sceptical and vigilant. In other words, they should expect to be targeted by fraudsters and respond by treating any request for information or payment in their inbox as suspicious, particularly in the aftermath of this breach.
"It is also important that staff are trained on the characteristics of a phishing scam, how they operate and how they can financially and reputationally impact their organisation. However, as FIFA have been hacked twice this year, and strong-form impersonation phishing scams are on the rise and proving increasingly effective, vigilance alone is not enough."
Sadler argued that the best means of defence was using machine learning tools that analyse patterns of behaviour in emails and spotting anomalies that suggest an attempted compromise.
Tony Pepper, CEO of Egress Software, echoed Sadler's calls for mitigating such risks through the use of machine learning and expressed sympathy for Infantino's defence.
"When questioned about the breach, the FIFA President explained that exchanging documents, drafts and ideas is core to his job, and I think we can all relate," said Pepper.
"Very little data actually just stays in a database or on a single server anymore. When sharing documents containing sensitive information, the first thing that should be done is to encrypt emails and attachments in transit and at rest in the mailbox, and add multi-factor authentication and policy controls when additional security is also required.
"This particular data breach highlights the need for enterprises to review the protections they are putting around unstructured data, especially within emails, meaning that if such sensitive information falls into the wrong hands, the risks of it being exposed is mitigated. Regardless, it’s another example of the risks enterprises are facing; they must review their cybersecurity procedures to ensure this does not happen again."
Simon McCalla, CTO of Nominet, added that simple changes to processes and systems backed up by training and education may have prevented the breach.
"To reduce the risk of users clicking on the 'near to' domains used - such as replacing [email protected] with [email protected] - deploying a robust anti-phishing system will absolutely help, but you can’t rely on defence systems alone," he said
"It's important to educate users on the dangers of phishing and how to spot suspicious emails too. It's also essential to instil a culture of security, where staff are encouraged and enabled to check anything that they’re not sure about.
"Perhaps the most interesting aspect of this hack is that FIFA acknowledged they 'had been unable to find traces of a hack in its computer systems'. This speaks volumes about how hard it is to detect data exfiltration techniques, which are often obfuscated to hide in the massive flows of traffic that leave organisations such as FIFA daily.
"Stricter rules, like GDPR in the UK, would have also expedited the disclosure of the breach thus prompting extra care from businesses."