A growing chorus of cybersecurity experts is warning that fantasy sports websites represent a prime target for hackers. The volume and sensitivity of data on these sites is significant. And many have failed to put expansive data protection measures into place.
The internet is rife with fantasy sport sites. However, just two – DraftKings and Fan Duel – share the bulk of the traffic. These sites allow users to predict the performance of individual athletes and compete against other users for cash prizes. Fantasy football is the biggest draw, but most major sports now have pay-to-play fantasy options available.
These sites do million of dollars in transactions in a short period of time. The daily fantasy industry netted $290.7 million in revenue just in the US in 2015. DraftKings accounted for $174 million of that revenue and FanDuel for $106 million. It is predicted that growing competition in the market will push the total revenue for daily fantasy sports into the billions in the near future.
In addition to the money itself, these sites store the personal and financial data of million of users. These sites may not rank in the Top 10 of consumer-facing websites, but their appeal as targets for hackers is significant.
Theft is not the only concern. Experts have also warned that hackers could manipulate the data used to determine winners and losers to award legitimate prizes to fraudulent users. The explosion in traffic these sites face on the Sunday morning before most football games also puts them at risk of denial-of-service and zero day attacks.
Both FanDuel and DraftKings have stood behind the depth and breadth of the security measures they have in place. DraftKings in particular has said that access to sensitive information is strictly limited and only authorized on a case-by-case basis after thorough vetting.
Despite these assertions, experts have encouraged both sites to update and expand their security protocols. They call for transparency and disclosure in regards to where, what, and how data is stored. These experts have also warned that if a data breach were to occur it would likely subject any daily fantasy provider to a wave of lawsuits.
Both websites have previously faced lawsuits accusing them of false advertising and fraud after it was discovered that employees were placing bets using information not available to the public. This practice is not illegal, but by doing it the companies put sensitive information at risk that could have led to losses for public players totaling millions.