Millions of amateur football players in France may have had their personal data exposed after the French Football Federation (FFF) suffered a cyberattack - and it may not be the first time this has happened.
In a statement published on November 26th, the FFF said it detected unauthorized access to the software platform used by all licensed football clubs in the country to manage administrative tasks, including registering their players with the federation.
According to the federation, which has over two million members, many of whom are under 18, the breached data includes first and surnames, gender, date and place of birth, nationality, postal address, email address, telephone number, and license number.
The FFS said that it has also informed the individuals whose email addresses were listed in the database.
The federation, which operates 14 elite academies across France for young players, said that it then took “the necessary steps” to secure the software and data, including immediately disabling the account in question and resetting all user account passwords.
It added that a complaint has been filed with two key French government agencies that collaborate on cybersecurity and data protection – the ANSSI and the CNIL.
The federation also warned members to be vigilant of “suspicious or unusual communications” via SMS, call, or email that appear to originate from the FFF, in anticipation that the leaked information might be used to launch phishing attacks.
The news comes 18 months after an earlier suspected breach, with Cybernews researchers verifying that a sample of FFF player details had been published on a well-known data leak forum.
Experts say the incident highlights why athletes don’t have to play for Manchester United or Real Madrid to become vulnerable to cybercriminals.
"Smaller clubs and societies can sometimes consider themselves not interesting enough for criminals to attack. But this incident is a reminder about how deeply everyday life depends on centralized platforms,” says Javvad Malik, lead security awareness advocate at KnowBe4.
“In this case, we see how so many players, many of whom are children, have no say over how their data is collected, secured, or shared. Yet they are the ones who are impacted when something goes wrong.”
Attackers frequently target sports organizations as they often store data on a large number of individuals.
Sometimes, organizations inadvertently leak the data themselves. Earlier last year, the Cybernews research team discovered that Football Australia, the governing body of Australian football, had leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ data and players’ contracts and documents.
As Malik emphasized, “Many of these volunteer-driven clubs and associations rely heavily on third-party systems and do not have the skill to ask or look into the security capabilities.”
Malik added that governance, vendor oversight, and clear communication to affected individuals “needs to be a core function."
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked