Leicester City FC breach sees hackers score financial data

External shot of Leicester City Football Club's KP Stadium

The personal and financial details of supporters registered with Leicester City Football Club (LCFC), including card number and CVV, have been compromised in a breach of the club's online store.

Cyber criminals gained access to the club's systems between 23 April and 4 May and compromised the personal and financial details of customers signed up to its online fan store. These included cardholder names, card expiry dates, card numbers, and the three-digit CVV anti-fraud numbers.

The club notified relevant authorities including the Information Commissioner's Office (ICO) shortly after the breach was discovered, with affected supporters informed through an official club notice. LCFC subsequently issued a followup statement last week disclosing several further details around the hack.

The ICO confirmed it is investigating the incident, which potentially constitutes a violation of the General Data Protection Regulation (GDPR) which came into force little more than a year ago on 25 May 2018.

"Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets," a spokesperson said according to Leicester Mercury.

"In line with its GDPR responsibilities, the club informed all necessary parties - including potentially affected users, the police and the Information Commissioners Office (ICO) - and launched an immediate investigation into the source of the breach.

"The investigation is currently on-going. The club has been in direct contact with all users that were potentially affected by this breach."

The club initially informed supporters that it had launched an investigation into the theft of customer data from its retail website after the security of this platform was compromised during the two-week period. This exposed the personal and financial details of customers who made purchases during this time.

The club fully restored security to its platforms shortly after discovering the breach, and pledged to take "all legal recourse against those responsible for this malicious attack".

The former Premier League champions aren't the only club to have sustained a security incident recently, joining West Ham United (WHU) in the ranks of clubs investigated for potential GDPR breaches.

The East London-based side also faced the spectre of GDPR enforcement action after accidentally leaking the details of hundreds of season ticket holders last August.

"Leicester City Football Club has made us aware of an incident and we are making enquiries," an ICO spokesperson confirmed.

IT Pro approached LCFC but the club did not respond to requests for comment.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.