Cybersecurity Lessons From an NFL Draft Day Prank

Sometimes, a real-world event vividly illustrates the importance of digital security basics. The recent NFL draft provided just such a case, involving an unlocked iPad, a prank call, and significant consequences.

The story centers around Shedeur Sanders, a highly anticipated draft prospect, and Jeff Ulbrich, the Atlanta Falcons' Defensive Coordinator. To maintain security during the draft, prospects use special phone numbers known only to NFL teams. Ulbrich had this sensitive contact list stored on his iPad.

Days before the draft, Ulbrich's son, Jax, used the unlocked iPad, discovered Sanders' private number, and recorded it. On draft day, Jax and a friend used the number to prank Sanders, posing as the New Orleans Saints GM, claiming they were about to draft him. This prank came as Sanders experienced a draft-day slide, falling from a projected first-round pick to the 144th selection; in the fifth round.

The incident didn't stay private. Video emerged, leading to Jax Ulbrich issuing a public apology. More tangibly, the NFL fined Jeff Ulbrich $100,000 and the Falcons organization $250,000 for the security lapse. Beyond the fines, the event potentially cost Sanders millions (the salary difference between early and later picks is vast) and undoubtedly created trust issues within the Falcons organization.

Lessons Beyond the Gridiron

There are lessons here that are relevant for any business; not just billion-dollar sports franchises. What can you learn from this NFL fumble? Here are a few things: 

• The imperative of authentication - An unlocked device containing sensitive information was the root cause. Every phone, tablet, and computer, particularly those used for work, needs robust password protection or other authentication methods.
• Access control matters - The NFL's system of secret numbers aimed for limited access. However, that sensitive data wasn't secured on the coordinator's device. Businesses must ensure data access is restricted and protected wherever it's stored or accessed.
• Recognizing deception - The prank call, using impersonation for deceptive purposes, is functionally similar to a phishing attack. It's a potent reminder to treat unexpected communications with caution and verify requests through established channels.

This situation demonstrates that even simple security oversights can have costly and far-reaching consequences, regardless of the industry.

If you would like help establishing a cybersecurity strategy that aims to keep downtime to a minimum and help you get your hands on beneficial software and strategies that you may not have at the moment, give Quercus IT a call today at (780) 409-8180.