For decades, the primary concerns facing student-athletes revolved around physical injuries, mental health challenges, and performance pressures. Today, a new threat has emerged: cybersecurity.
A recent breach reported by cybersecurity expert Jeremiah Fowler exposed more than 3.1 million records, including sensitive data belonging to high school student-athletes and college coaches. An unsecured recruiting platform database allegedly tied to PrepHero, is the culprit, which included unencrypted files with names, emails, phone numbers, even passport scans. At Athletic Directors 411, we believe that ADs have a responsibility for the overall safety and wellness of their student athletes — and it’s time to start encompassing data protection into that responsibility.
Why Athletic Departments Are Prime Targets
Education institutions are prime targets for cybersecurity attacks: They store huge amounts of sensitive student and staff data, rely heavily on technology for learning and administration, and often have limited resources for cybersecurity members. The risk is even greater for athletic programs, as they collect and share an even wider spread of personally identifiable information (PII): Emergency contacts, medical forms, eligibility documents, recruiting profiles, travel plans, sometimes financial or insurance information, and even biometric information. These data sets are often stored across various platforms — from team communication apps to third-party recruiting tools — and sometimes without centralized IT oversight.
For hackers and scammers, this decentralized system is a gold mine. Young athletes often don’t check their credit or online profiles, making them prime targets for identity theft that may go unnoticed for years. And coaches or administrators with access credentials can be targets for phishing attacks, impersonation schemes, or credential theft that jeopardizes the entire school network.
The Fallout of a Breach
The risks are more than theoretical. A breach could:
- Expose student identities and financial data.
- Open the door to phishing attacks aimed at students, parents, or staff.
- Compromise coach evaluations or private team communications.
- Damage a school’s reputation and erode trust from families and staff.
- Lead to legal or financial consequences, especially under data privacy regulations.
A Cyber Defense Playbook for Athletic Directors
So, what can you do? Here’s your starting lineup of best practices:
1. Vet All Third-Party Platforms
Before using any recruiting or communication tool, ask vendors:
- Is data encrypted at rest and in transit?
- Are databases password-protected?
- Do you have a breach response plan?
- Request documentation and ask about their last cybersecurity audit.
2. Implement Multi-Factor Authentication (MFA)
Require MFA for staff email, internal platforms, and any services involving PII. It’s a simple but powerful way to prevent unauthorized access.
3. Purge Outdated Data
Don’t hold onto documents longer than necessary. Create a policy for securely deleting outdated forms, files, and emails.
4. Train Coaches and Staff on Cyber Hygiene
Many breaches begin with one innocent click. Educate your team on spotting phishing attempts, using strong passwords, and avoiding unsecured Wi-Fi.
5. Restrict Access to Sensitive Info
Only authorized personnel should access rosters, medical forms, or recruiting files. Regularly audit who has access and adjust as roles change.
6. Avoid Open-Access Links
Never share sensitive documents via open-access URLs in emails or group chats. Use secure platforms or password-protected portals instead.
7. Partner with IT
Work closely with your district or school’s IT team to assess risks, implement safeguards, and develop a formal breach response plan. Push for district-wide cybersecurity training that includes athletics, and advocate for a line item in the budget to support secure digital infrastructure.
