Following the conclusion of some of their matches this season, as with any other season, the sentiment among Leeds United football supporters that they have “been robbed” can be heard reverberating around the ground, on the terraces, and in the streets around their Elland Road stadium. Perceived injustice is a part of the sport, and although keenly felt, their loyal followers can (after a cup of Yorkshire tea) shrug it off and carry on.
What they won’t be so familiar with, however, is receiving an official communication from the club informing them that they themselves have actually been robbed. This was what some fans had to endure this week when they received an email from the club telling them that they had been directly impacted following a cyber-attack targeting the club’s retail website between 19th and 24th February this year.
Incident Report
An attack, Leeds United went on to state in a post on their official website, leedsunited.com, that had “resulted in the card details of a small number of customers being compromised.” The club expressed frustration that attackers had bypassed “layers of cybersecurity” and went on to offer their sincere apologies to anyone adversely affected by the incident. In the statement, they also reassured supporters that their response had been to have “a specialist third party” conduct a “forensic investigation” upon discovering the breach, with steps subsequently taken to halt the attack and reclaim control of their systems. The club said they are also continuing to work with the Information Commissioner’s Office.
It’s in The Game
Unfortunately, this isn’t the only case of a football club operating in the second-highest tier of English football, which is also the fifth-best followed league in Europe, falling victim to a cyber-attack this season. The Mail Online reported in September 2024 that two other clubs, Sheffield Wednesday and Bristol City, had been victims of attacks, with numerous supporters of the latter sharing on a popular fans forum that they had received suspicious emails from the club informing them orders made and previously despatched in 2023 “had now been despatched.” In both club’s attacks, phishing emails were sent out from malicious actors pretending to be senior figures at the football club, namely the finance director and chief financial officer, respectively.
Defensive Work
Although Leeds United has yet to elaborate on the specificities of their own attack, the details we have would suggest that the attack may well be similar to the one experienced earlier this year by fans of the NFL giants, The Green Bay Packers. In that incident, a threat actor hacked the team’s official online retail store and injected a card skimmer script to steal customers’ personal and payment information. Like Leeds, when Green Bay notified their customers what had happened, they detailed a window of multiple days where sensitive data was potentially compromised. As a gesture of goodwill, Green Bay is offering subsidized access to credit monitoring and identity theft restoration services. Still, as we are not privy to Leeds United’s direct correspondence to affected supporters at this time, we cannot confirm what remediations they may have offered.
Javvad Malik, Lead Security Awareness Advocate at KNowBe4, praised Leeds United’s handling of the incident. He said, “Leeds’s swift response is commendable and serves as a wake-up call for the entire sports industry.”
Expert Analysis
As this blog detailing emerging cybersecurity scams from Tripwire rightly identifies, “Attackers do not care about who they target as long as they get people’s and establishments’ information and credentials.” As major enterprises with tens, sometimes hundreds, of thousands of customers or more, major football clubs are attractive targets for opportunistic cybercriminals seeking to exploit vulnerabilities and leverage the loyalty of supporters.
James McQuiggan, a Security Awareness Advocate who also operates at KnowBe4, highlighted what steps individuals could take to protect themselves. “Individuals need to be proactive with their financial security by regularly monitoring their bank, credit card, or other financial accounts. Cybercriminals always go after the money and detect unauthorized transactions, and users can alert their financial institutions to prevent further fraudulent activity.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.