The French Football Federation disclosed on Friday that attackers used a compromised account to gain access to administrative management software used by football clubs.
After detecting the unauthorized access, the federation’s security team disabled the compromised account and reset all user passwords across the system. The FFF said that before the intruders were detected and evicted, they stole personal and contact information from members of French football clubs.
The federation said the breach was limited to name, surname, gender, date and place of birth, nationality, postal address, email address, telephone number and license number. In line with European data protection rules, it has filed a criminal complaint and notified France’s National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL).
The FFF said it will directly notify all individuals whose email addresses appear in the compromised database and urged members to be suspicious of messages claiming to originate from the federation, their clubs or other senders. Club members were warned to be wary of any communications requesting that they open attachments or provide account credentials, passwords or banking information.
The federation said it is committed to protecting the data entrusted to it and is strengthening and adapting its security measures. Earlier this month, the French social security service for parents and home-based childcare providers (Pajemploi) also reported a separate data breach that may have exposed the personal information of about 1.2 million people.