The Rise of Cybersecurity Threats in Esports: Legal Implications and Risk Management Approaches to DDoS

The DDoS attacks on the League of Legends Champions Korea (“LCK”) tournament in February 2024 made the threat of cybersecurity breaches in esports impossible to ignore. Beyond the immediate gameplay disruption, the attacks expose esports organisations to significant legal and compliance risks, making robust cybersecurity protections essential to safeguarding the industry. This article explores the legal implications of this form of cyberattack, examining the compliance challenges, data protection concerns and risk management strategies.

What is a DDoS attack?

DDoS stands for “Distributed Denial-of-Service” and is a type of a cyberattack designed to overwhelm the targets’ devices, services or networks by flooding them with internet traffic. DDoS attacks originate from multiple remote systems each with a unique IP address, hence making them faster and more challenging to block. As a result, the victim becomes unable to use their device or server effectively or at all.

Why DDoS attacks are a growing problem in competitive gaming

Driven by a mix of motives – ranging from disrupting opponents and seeking financial gain to simply gaining attention - hackers increasingly target individual players, game developers and even entire tournament infrastructures. These attacks can inflict significant reputational damage and have far-reaching implications for sponsors and event organisers, ultimately affecting their revenue streams. 

When the LCK, which achieved a peak viewership of 2.6 million, was a target of a series of DDoS attacks, it led to the cancellation of matches and the live broadcast due to ongoing ping issues. As part of its remediation strategy, an offline game server was implemented  which does not rely on the internet to function. Whilst online servers allow for seamless game updates and enable teams to practice conveniently from their own facilities, they are far more vulnerable to DDoS attacks, which can disrupt games and jeopardise the competitive integrity of tournaments.

Similarly, in February 2024, players of Overwatch 2 became victims of a large-scale DDoS attack that caused extreme lag for many and resulted in unfair bans for players disconnected from matches.

DDoS-ing becomes even more of a challenge for professional esports players, whose employment contracts often include strict streaming clauses requiring them to broadcast their gameplay for a specified number of hours each month. This issue was emphasized by Ryu “Keria” Min-seok, a professional esports player for T1, in March 2024. During one of his streams, Keria highlighted how the DDoS attacks he became the target of, impacted his ability to fulfil his streaming obligations as well as his capacity to practice effectively. 

Given the increasing frequency and impact of DDoS attacks in competitive gaming, how effective is the current legal framework in safeguarding esports from cyber disruptions? 

Legal consequences of DDoS and unauthorised access

In the UK, DDoS attacks are illegal under the Computer Misuse Act 1990 (the “CMA 1990”). The unauthorised access or impairing the operation of a computer constitutes and offence under the CMA 1990, and carries with it penalties, including imprisonment. 

The Crown Prosecution Service and the National Crime Agency are responsible for investigating and prosecuting DDoS attacks in the UK. In addition to criminal charges, a hacker can also face civil liability. Companies or individuals are able to sue the perpetrator for damages or financial losses under UK tort law. 
However, in practice, holding perpetrators of DDoS attacks responsible can prove challenging as the identity of cyber attackers may not always be easily established. 

Protecting Against DDoS: Legal Remedies and Protection Options

Whilst the CMA 1990 provides avenues for prosecuting cyber attackers, it is essential for gaming organizations to recognize their obligations under the UK General Data Protection Regulation (“UK GDPR”). In the event of a DDoS attack that compromises players' personal data due to inadequate security measures, gaming companies may face significant liabilities and regulatory penalties. Under the UK GDPR, organisations may be fined up to £17.5 million r 4% of their annual global turnover, whichever is higher.

Therefore, it is crucial for the gaming industry to adopt robust cybersecurity practices. The Cyber Security Information Sharing Partnership, a collaboration between industry and government, provides a platform for sharing cyber threat intelligence and best practices among cybersecurity professionals. Furthermore, the National Cyber Security Centre offers comprehensive resources, including guidelines on developing effective DDoS response plans.

From a protective standpoint, any gaming companies involved in esports tournament organising, game development, game publishing, esports betting, server hosting or streaming might be at risk of DDoS attacks and should consider implementing the following measures:

• Advanced Cybersecurity Systems: utilising technologies such as intrusion detection systems or DDoS mitigation services;
• Implementing Specific Contractual Clauses: incorporating specific clauses into contracts with players and sponsors that mandate adherence to cybersecurity protocols;
• Cyber Security Preparedness: Investing and dedicating time to cyber preparedness. For e.g. a cyber tabletop offers organisations an informal operational environment for team members to build their understanding of the incident response process, consider key decision points, and align on roles and responsibilities. This type of exercise is a great starting point for organisations that are working to build competence and confidence in cyber and crisis response.
• Collaboration with Cyber Response Experts: engaging specialised cyber breach counsel, like Clyde & Co, to develop tailored solutions including rapid response capabilities;
• Cybersecurity Insurance: investing in insurance policies which can serve as a safety net in the event of an attack.

Risk management and incident response strategies for DDoS and data breaches

To effectively safeguard against DDoS attacks and data breaches, organisations must adopt a proactive approach to risk management and incident response. This involves conducting regular risk assessments to identify vulnerabilities, developing comprehensive incident response plans that outline procedures and responsibilities, and providing ongoing employee training to enhance cybersecurity awareness. The more robust these measures are, the more difficult it becomes for hackers to carry out successful attacks. 

Conclusion

As the esports and gaming industry continues to expand, the intensity of cyberattacks will increase. DDoS-ing poses significant risks not only to the operational integrity of gaming organisations but also to the personal data of players. By understanding the legal implications and implementing layered security measures, companies can better prepare themselves against these threats.

Companies are encouraged to consider enhancing their cyber security posture and evaluating their cyber security preparedness, through cyber tabletops for instance. When faced with a cyber incident, it is crucial that organisations have a framework in place to respond effectively with breach counsel, like Clyde & Co, on hand to help respond to threats against your company, swiftly, and sensitively in response to any data breach you may face.