In an email obtained by Sports Illustrated, Catapult, the software company that the overwhelming majority of college football teams use to both host and exchange game and practice film, sent a message to its users Sunday morning as rumors swirled about security issues regarding the app. Both the Alabama Crimson Tide and Michigan Wolverines spoke about taking precautions to safeguard their film during Rose Bowl prep.
“Over the past few days, there were false reports that Catapult is under investigation by the NCAA and law enforcement regarding our ThunderCloud video system,” the email said. “While we assisted a local law enforcement authority investigating an alleged unauthorized access into a customer's ThunderCloud system, this was not an investigation of Catapult. In conjunction with this investigation, Catapult proactively conducted a thorough security review of our ThunderCloud system and found no data breaches or unauthorized access to any customer's content. We are not under investigation by the NCAA or any law enforcement agency.”
Kirby Lee/USA TODAY Sports
The email went on to assure that user passwords are secure through encryption and that Catapult internal teams cannot access individual users' content and they can only reset passwords after validating a user’s login credentials. Catapult works with over 4,000 sports teams worldwide.
For college football programs it is one of two main options to host and share film. Catapult has more robust options on the backend for video coordinators, for instance, to generate clips for any situation automatically, such as all the plays run by a certain down and distance, route concept, or field zone. But it’s also much more expensive. Its top-tier package can cost a team well into the six figures per year to host its video and give access to over 100 players and staff and unlimited support calls with Catapult’s team if something goes wrong. In the opinion of multiple college football video coordinators, a significant data breach of Catapult’s systems would be “catastrophic” and “change everything.”
During Alabama’s first media session, multiple Crimson Tide players acknowledged that during College Football Playoff prep they were not allowed to watch film on their individual tablets (a common practice) and instead could only watch in groups with their coaches. It’s not that the amount of film watched has decreased, only how they view it.
Following the news from Bama players, Catapult released a public statement to multiple media members on Dec. 29 that said “[Catapult is] aware of the ongoing investigation of the alleged unauthorized access to NCAA football video footage. We have conducted an internal investigation and have not found any security breach in our systems. We have shared this with local authorities that are conducting an investigation.”
It is still unclear what local law enforcement agency Catapult was working with. A Dec. 29 request for clarification from Catapult by SI has not been returned. A Michigan spokesperson told ESPN that it was not accused of the breach and instead the Wolverines believe they were a potential target.
Michigan offensive coordinator Sherrone Moore said the Wolverines adopted the same policy in early November while the fallout from the Wolverines sign stealing investigation was raging on.
“Yeah, just caught wind of things that could be going on, and just told our kids, I think it was early November, ‘Hey, we’re not watching stuff on the iPads anymore.’ Watch it in-house and handle it that way,” Moore said.
On Nov. 27, Catapult sent a message to users to share best practices to enhance security, including two-factor authentication and generating usage reports to monitor who is accessing a team’s network. It also shared further security recommendations and info on different security permissions. The best practices were reiterated in the New Year’s Eve note.
