Paris Saint-Germain (PSG), the Qatari-owned French football club, has said that a cyberattack targeted its online ticketing system before Wednesday’s clash with Barcelona in the Champions League.
According to the club’s letter to the fans, first published by Le Parisien, the incident was detected last week and shared with supporters on Monday.
“Madam, Sir, on April 3rd, the Information Systems Department of Paris Saint-Germain was challenged by unusual access attempts to the club's ticketing system,” says the letter.
“Our teams detected a vulnerability, which they resolved in less than 24 hours. Additional security measures were immediately implemented.”
PSG says the club promptly informed the CNIL, the data protection authority for France, of the incident. Under the European Union’s data protection laws, the CNIL could fine PSG if the club was found to have been negligent in protecting customers’ data.
PSG says there is no evidence data has been extracted or exploited by a malicious third party but then warns the fans that the system held some of their personal data, including names, email and postal addresses, mobile phone numbers, and dates of birth.
Based on the description of the incident, it appears to have been a credential-stuffing attack. When executing such attacks, threat actors gather credentials that were exposed in data breaches and use them to log into other websites.
Football clubs, of course, are huge enterprises and are often targeted by cybercriminals. For example, the Royal Dutch Football Association was claimed by the infamous LockBit ransomware gang in 2023, and in 2020, a cyberattack hit Manchester United’s systems.
Back on the ground, police in London, Madrid, and Paris deployed additional forces and stepped up security measures this week after Islamic State threatened to target the Champions League quarterfinal matches, according to France’s interior minister Gerald Darmanin.
Your email address will not be published. Required fields are markedmarked