Leeds United, an English football club, recently revealed that their retail website fell victim to a cyberattack in February, resulting in the theft of payment card details belonging to a “small number of customers.” The attack lasted from February 19 to 24 and the club has since taken steps to address the breach.
When questioned by The Register for more information regarding the incident and the extent of the data compromised, Leeds United declined to provide further details. However, they did confirm that affected customers have been notified and the club is working closely with the Information Commissioner’s Office (ICO) in the UK.
According to a statement released by Leeds United, a forensic investigation was conducted by a specialist third party once the breach was discovered. Despite having multiple layers of cybersecurity in place, the club expressed disappointment that the attack was successful and issued apologies to those affected.
Jake Moore, a global cybersecurity advisor at ESET, suggested that the cybercriminals behind the attack likely obtained card details from every transaction processed on the club’s website during the five-day compromise. He emphasized the importance of robust protection measures and continuous monitoring to prevent such incidents in the future.
The incident at Leeds United is not an isolated case within the football industry. The English Football League (EFL), which governs the league where Leeds United competes, reportedly issued alerts to clubs in response to cyberattacks on rival teams in the past. This included break-ins into email systems at Bristol City and Sheffield Wednesday, leading to phishing attempts targeting fans.
In a separate incident, League One club Charlton Athletic also faced cybersecurity challenges related to legacy IT infrastructure after migrating to the cloud. These incidents highlight the vulnerability of sports clubs to cyber threats due to the financial stakes involved.
Recent examples of cyberattacks on sports organizations include RansomHub targeting Italy’s Bologna FC and BlackByte extorting the San Francisco 49ers in the United States. These incidents serve as reminders of the constant vigilance required to safeguard sensitive data in the digital age.
As the sports industry continues to grapple with cybersecurity challenges, it is essential for organizations to invest in robust security measures and stay proactive in mitigating cyber risks. The incident at Leeds United serves as a cautionary tale for other clubs, emphasizing the need for ongoing vigilance and adherence to best practices in data protection.