Earlier this year, DDoS attacks on the League of Legends Champions Korea (LCK) tournament highlighted the growing cybersecurity risks in the esports sector. These disruptions, which halted gameplay and affected broadcasts, underscore the significant legal and compliance challenges facing esports organisations.
Rosehana Amin, a partner at Clyde & Co, has outlined key insights into the implications of these attacks and the strategies organisations can employ to mitigate risks.
A distributed denial-of-service (DDoS) attack is a cyberattack aimed at overwhelming a network, server, or device with excessive traffic from multiple sources, rendering it inoperable.
“Driven by a mix of motives – ranging from disrupting opponents and seeking financial gain to simply gaining attention – hackers increasingly target individual players, game developers and even entire tournament infrastructures,” Amin said. “These attacks can inflict significant reputational damage and have far-reaching implications for sponsors and event organisers, ultimately affecting their revenue streams.”
In February 2024, the LCK tournament, which saw a peak viewership of 2.6 million, experienced a series of DDoS attacks. Matches were cancelled, and live broadcasts were disrupted due to persistent ping issues. An offline game server was introduced as a temporary solution, but online servers remain more vulnerable to such attacks.
“DDoS-ing becomes even more of a challenge for professional esports players, whose employment contracts often include strict streaming clauses requiring them to broadcast their gameplay for a specified number of hours each month,” Amin said.
Under UK law, DDoS attacks are prohibited by the Computer Misuse Act 1990, which criminalises unauthorised access and impairing computer operations. Offenders may face imprisonment or civil liability, enabling affected parties to claim damages for financial losses.
“Companies or individuals are able to sue the perpetrator for damages or financial losses under UK tort law,” she said. “However, in practice, holding perpetrators of DDoS attacks responsible can prove challenging as the identity of cyber attackers may not always be easily established.”
In addition to criminal liability, organisations must ensure compliance with the UK General Data Protection Regulation (UK GDPR). If a DDoS attack compromises personal data due to inadequate security measures, companies could face fines of up to £17.5 million or 4% of annual global turnover, whichever is higher.
“The Cyber Security Information Sharing Partnership, a collaboration between industry and government, provides a platform for sharing cyber threat intelligence and best practices among cybersecurity professionals,” Amin said. “Furthermore, the National Cyber Security Centre offers comprehensive resources, including guidelines on developing effective DDoS response plans.”
To address the escalating threat of DDoS attacks, esports organisations need to adopt a comprehensive approach to cybersecurity. These include advanced cybersecurity systems, contractual clauses, incident preparedness, collaboration with experts, and cyber insurance.
A robust incident response framework is essential for managing the fallout of DDoS attacks. This involves conducting regular risk assessments, developing detailed response plans, and training employees to identify and respond to cyber threats. By investing in these areas, organisations can reduce their vulnerability to attacks and minimise operational disruption.
“As the esports and gaming industry continues to expand, the intensity of cyberattacks will increase. DDoS-ing poses significant risks not only to the operational integrity of gaming organisations but also to the personal data of players,” Amin said. “By understanding the legal implications and implementing layered security measures, companies can better prepare themselves against these threats.”
What are your thoughts on this story? Please feel free to share your comments below.
