Darktrace released new research showing 84% of professional sports organisations have experienced a cyber incident in the past 12 months. More than half (57%) were hit multiple times.
As the 2026 FIFA World Cup puts professional sport into the global spotlight, the new report Cybersecurity in Global Sport: Threats, Signals, and Strategic Implications for a Digitized Industry highlights how AI is changing the risk landscape for professional sports. Attackers are using AI to create more convincing phishing emails, tailor lures to real teams, venues, sponsors, executives, and events, and move faster across complex digital environments. At the same time, sports organizations are adopting AI across their own operations, creating new blind spots for security teams.
Darktrace found that 83% of cybersecurity professionals in professional sports surveyed believe they have detected AI use in cyberattacks against them in the past 12 months, while 72% believe AI will increase cyber risk over the next year. That risk is amplified in professional sports, where live events, high-value data, public pressure, fixed schedules, and large networks of partners and suppliers all intersect at once to offer attackers maximum publicity, profit and potential impact. According to the survey, the average cyber incident cost sports organizations $169,000 (USD) over the past 12 months. However, the real financial impact compounds: 57% reported being hit more than once, and 43% reported between six and 10 incidents in a single year. For each of those organizations, the cumulative annual cost could climb to as much as $1.7 million.
The wider impact goes beyond financial loss. In sport, a compromised executive account, fake fan communication, disrupted ticketing system,or exposed athlete data can create deep and immediate public, financial, and reputational damage.
Security concerns increasing as AI adoption rises
Within professional sports organizations, AI adoption is growing rapidly from the backroom to pitch.
Security professionals surveyed for Darktrace’s research reported that stadium operations would cause the greatest impact if compromised in a cyberattack (cited by 34%). Yet more than a third (35%) said they are already deploying AI into those same operations or plan to in the next 12 months, bringing new risks in the area they can least afford to lose.
A similar pattern follows in other operational areas. One-third of respondents said they are using or planning to use AI for ticketing operations and fan engagement, and 32% are using it for marketing operations and content generation. At the same time, many remain concerned about integrating AI into those critical systems. Nearly half of security professionals cited risks introduced during AI development and deployment (47%) and AI prompt risks and attacks (47%), while 35% pointed to shadow AI as a concern.
As sports organizations expand AI use into increasingly critical operations, security teams need visibility into what AI tools can access and what actions they can take, how they interact with sensitive systems and data, and whether the underlying AI infrastructure itself is being targeted or misused.
Phishing and identity remain high risks
Darktrace telemetry data shows that email and identity remain key attack paths for the sector. The report found that sports organizations are particularly exposed to email phishing attacks, with Darktrace sports sector customers receiving nearly 20% more phishing emails than those in other industries. Darktrace / EMAIL™ detected more than 116,000 phishing emails targeting sports sector customers across 6 months spanning from October 2025 to March 2026. Of those, 21% targeted VIPs, 38% were spear-phishing attempts, 84% successfully passed DMARC authentication, and 37% contained novel social engineering features.
“Professional sport is a high-pressure environment where timing matters,” said Nathaniel Jones, VP, Security and AI Strategy at Darktrace. “A suspicious login, unusual data movement, or unexpected AI agent action may look small in isolation, but during a live event it can become operationally significant very quickly. The most effective way to mitigate the risks facing sports organizations both internally and from external actors today is to adapt a behavioral approach to security. That means shifting away from rules and signatures and focusing on understanding both human and AI behavior inside your environment.”
Taking action to stay ahead of evolving risks
As the sports industry enters a new phase of exposure, behavioral approaches become increasingly vital to securing organizations and events. Security teams need to understand what normal looks like across the environments that matter most to sport: people, identities, email, stadium systems, suppliers, and AI tools. That behavioral understanding helps them detect threats designed to blend into normal activity, whether the risk comes from an external attacker, a compromised account, or an AI agent acting outside its intended role.
In this environment, AI systems like Darktrace / SECURE AI, which uses a behavioral AI approach to enable and secure AI agent creation and usage, provide a vital foundation for security operations, providing unified, real-time visibility across environments and machine speed response to potential threats.
Building on that behavioral AI foundation, Darktrace highlights six priority actions for professional sports organizations to stay ahead ofevolving threats:
- Threat modeling for emerging technologies, including AI misuse
- Rigorous supply‑chain governance and vendor access control
- Strong segmentation across IT, OT, and fan‑facing systems
- Identity‑centric security with anomaly detection and universal multi-factor authentication (MFA)
- Phishing resilience across all channels, including QR‑based vectors
- Operational playbooks aligned to live‑event constraints
