English football club Leeds United says cyber criminals targeted its retail website during a five-day assault in February and stole the card details of “a small number of customers.”
The attack took place between February 19 and 24, it said in a statement.
The Register asked Leeds United for more details about the raid, whether any other details beyond payment card data were compromised, and exactly how many fans were affected, but it declined to comment further.
Its statement, however, went on to say that those who were impacted by the theft have already been notified directly and the club continues to liaise with the UK’s data protection watchdog, the Information Commissioner’s Office (ICO).
“A forensic investigation was undertaken by a specialist third party as soon the club discovered the breach, and measures were implemented to stop and recover from the attack,” said Leeds United.
“The club is disappointed that the attack was successful despite layers of cybersecurity, and offer our sincere apologies to anyone who has been adversely affected.”
Jake Moore, global cyber security advisor at Slovak security shop ESET, claimed it’s likely the attackers were able to lift card details used in every transaction processed by the club shop in the five days it was compromised.
“These types of attacks are cleverly able to penetrate a website and take copies of all payments with ease whilst hiding undercover,” he said. “In a short space of time, cybercriminals would have been able to swipe card payment details from all transactions from within the time frame affecting all customers from that time.
“Although this digital heist can often go under the radar, it highlights the importance of robust protection, due diligence by all websites handling user’s financial data, and for website admins to monitor any anomalies, however small.
“Anyone affected by this breach should contact their bank immediately to cancel the compromised card, request a replacement, and follow the bank’s fraud prevention guidance.”
The English Football League (EFL), the governing body for the league in which Leeds United plays and currently leads, the Championship, reportedly issued alerts in September 2024 after cyberattacks led to break-ins at the email systems of rival clubs Bristol City and Sheffield Wednesday.
Crafty crims managed to gain access to both clubs’ email systems and sent phishing links to fans. The EFL warned all 72 clubs under its remit not to open emails purporting to be from Bristol City’s CFO Vicki Long or Sheffield Wednesday’s finance director John Redgate.
League One club Charlton Athletic also disclosed its own cybersecurity problems earlier that same month, although it was separate from the email compromises at the Championship clubs and related to legacy IT infrastructure after recently migrating to the cloud.
Given the large sums of money associated with the sport, it makes sense that clubs are targeted by cybercriminals, including ransomware groups. Most recently Italy’s Bologna FC was hit by RansomHub in November, while the San Francisco 49ers – who play the other football – were also attacked in 2022 by the extortionists at BlackByte. ®