Key takeaways
- Reported estimates put direct tournament data near 90 petabytes, roughly 45 times Qatar 2022, and around two exabytes once AI, streaming, betting, and social workloads are counted.
- Almost all of it is unstructured: video, optical and GPS tracking, wearable telemetry, images used to train models, and the files those systems leave behind.
- Legal analysis describes sports-data ownership as a bundle of rights spread across players, clubs, vendors, leagues, and broadcasters, with no single owner. Under the GDPR, much of it is special-category personal data.
- Contracts and consent describe who may use data. Only an immutable, per-operation record at the storage layer establishes who did.
The 2026 World Cup is the largest ever staged: 48 teams, 104 matches, 16 stadiums, three host countries. FIFA has projected more than $11 billion in revenue across its 2023–26 commercial cycle, up from roughly $7.5 billion in the previous one, with media rights the single largest component. Those are the numbers that lead the business coverage.
The numbers that should interest anyone responsible for data are further down. According to reported estimates cited by Yahoo Finance, IndexBox, and Global Trade Magazine, the tournament itself will generate on the order of 90 petabytes, roughly 45 times Qatar 2022. The drivers are more matches, more venues, denser camera and sensor coverage, and the connected ball. Add AI models, simulations, streaming distribution, betting and prediction markets, and social platforms, and the total lands near two exabytes, which those estimates liken to about 45,000 years of 4K video.
Almost none of that is rows in a database. It is video, optical and GPS tracking, wearable telemetry, biometric readings, training imagery, and the sprawl of files every one of those systems produces. It is, in other words, an unstructured data estate: the same shape as the one most enterprises are quietly building, only compressed into five weeks.
When data is the product, ownership gets complicated
Here is what makes this more interesting than a big-number story. Nobody entirely agrees who owns any of it. In a July 2026 analysis, the law firm Morgan Lewis describes sports-data ownership as "a bundle of rights rather than a single answer," noting that data itself is not universally recognized as owned property under most legal systems. What exists instead is a web of contracts among players, clubs, technology vendors, leagues, and broadcasters, each with a claim to some slice.
The slices are not equivalent. Morgan Lewis separates match-event statistics from optical and GPS tracking, wearable measurements like heart rate and fatigue, biometric information, video and imagery used to train AI, and fan and betting datasets. Under the GDPR, much of that is special-category personal data, carrying obligations around consent, retention, third-party sharing, and cross-border transfer. The FIFPRO Charter of Player Data Rights treats performance metrics as personal data belonging to the athlete, and Project Red Card showed players willing to challenge commercial exploitation of it.
So the same telemetry stream is, simultaneously, a broadcaster's asset, a club's competitive advantage, a vendor's licensed product, and a player's personal data. Every one of those parties has a legitimate reason to touch some of it. None has a legitimate reason to touch all of it.
Contracts say who may. Only the data layer knows who did.
That gap is the whole argument, and it needs no breach to matter. A contract, a consent form, and a data-processing agreement are statements of intent. They are enforced, or quietly ignored, at one specific moment: when a session opens a file. Everything upstream of that moment is paperwork.
Attribute-based access control is how "may" becomes real, enforced per file and per operation rather than asserted once at the identity provider and hoped for thereafter. An immutable, per-operation audit trail is how "did" becomes provable. Without the second, data-rights compliance is a claim an organization makes about itself. With it, the question of which vendor read which player's biometric files, and when, has an answer that survives a regulator, an arbitration, or a player association asking it in earnest.
This is also where the AI part stops being a marketing adjective. Teams are described as working with models trained across hundreds of millions of data points and more than 2,000 performance metrics. Training corpora are unstructured file data, and a pipeline assembling one reads enormous volumes of files very quickly, which at the storage layer looks a great deal like exfiltration. Telling a sanctioned job apart from an over-scoped one takes something that examines every operation rather than simply serving it. RackTop holds four U.S. patents on the Cyberstorage architecture; the inline Active Defense design was filed on September 8, 2020, ten months before Gartner named the category in July 2021.
A five-week version of a decade-long problem
Most organizations will never run a World Cup. Nearly all of them are assembling the same estate on a slower clock: video, imagery, sensor output, models, and documents accumulating across file shares reachable over SMB, NFS, S3, and Web Drive, touched by employees, contractors, vendors, and increasingly by AI pipelines that were pointed at "everything" because scoping them was harder than not.
The tournament also makes a second constraint unusually legible. There are 104 matches on fixed dates, and a final cannot be rescheduled. Recovery time is not an IT metric there; it is the business. Most enterprises have their own version of that deadline: a close, a filing, a delivery. The ability to restore exactly what an incident touched, rather than roll an entire estate backward, is what decides whether the deadline holds.
None of this requires anyone to be attacked. It requires only that data has become the asset, which the $11 billion says it has. Once that is true, the controls have to live where the data lives: least privilege enforced at the file, behavioral detection of bulk reads and mass change on production data, an audit record no one can quietly edit, and recovery precise enough to be worth using. The World Cup runs that experiment in public on a five-week clock. Everyone else runs it slowly, and the bill arrives later, in an audit or a regulator's letter or a customer questionnaire, at the point where someone has to show precisely who touched what. That evidence either exists in the data path or it does not exist at all.
Frequently asked questions
- There is no single owner. Legal analysis from Morgan Lewis describes it as a bundle of rights allocated by contract among players, clubs, technology vendors, leagues, and broadcasters, because data is not universally recognized as owned property. Under the GDPR, player tracking and biometric data is treated as special-category personal data, and the FIFPRO Charter of Player Data Rights recognizes performance metrics as belonging to the athlete.
- Data rights are granted on paper but exercised at the moment a session reads a file. Attribute-based access control enforces those limits per file and per operation, and an immutable per-operation audit trail is the only way to prove which party actually accessed which data. Governance that cannot be evidenced at the data layer is an assertion rather than a control.
Go deeper
