FIFA World Cup 2022: Qatar Violated GDPR/CCPA Norms, Says Security Expert

With the first global football tournament to be held in the Arab world, FIFA World Cup 2022 in Qatar has hogged the world’s attention, including cybercriminals. While attackers are already leveraging FIFA and football-based campaigns to target organizations in Arab countries, Qatar itself faces pointy questions on data privacy and sovereignty. KnowBe4 lead security awareness advocate Javvad Malik shares his quick takes on the situation with The Cyber Express. 

Was Qatar in violation of the norms followed under GDPR/CCPA by demanding access to foreigners’ mobile phones with the two mandatory apps? How?  

Yes, the apps collected far too much information, much of which was unnecessary and for unknown purposes. Moreover, the privacy notices did not even inform users about the extent of information that was going to be gathered by the apps. Although most people won’t read the privacy policy, it is essential that at the very least it states what information is being collected from users’ phones and for what purpose.  

What are the major cyber issues spotted till now? 

In the run up to the world cup we have seen a huge rise in phishing emails with criminals trying to gain access to sensitive systems. Fans of football have also been targeted with scams such as fake merchandise, tickets, or even competitions.  

Has the pandemic in any way affected the cybersecurity posture of major sporting events like these? How? 

The main impact the pandemic has made has normalised additional rules. Most of them such as face masks or proof of vaccination are understandable. The biggest impact from a cybersecurity aspect has been local apps, particularly ones with location tracking capabilities. While the intent may be to ensure people isolated properly, cybersecurity is often an afterthought when these apps are developed, and little consideration is given to how these apps will handle sensitive data and who will have access to them.  

What are the usual cyber scams that pop up during events like these? 

The usual scams involve selling fake or non-existent items, such as tickets or merchandise. There are also other scams such as login pages to access exclusive content which are designed to steal personal information. These events also provide a good opportunity to spread disinformation and sow the seeds for broader attacks.  

What would be the three top tips that you would offer for a visitor? 

For a visitor, the best thing to do would be to purchase a “burner phone” – this can be any cheap phone on the market that they will use to download the required apps, but have no personal information on it. So any tracking cannot be linked to them easily.  

The second thing would be to update all devices before travelling, ensuring the latest security patches are applied.  

Finally, access the apps only when required, try to stay off public Wi-Fi, and use your own chargers for your devices.