The French Football Federation (FFF) has confirmed a data breach involving the administrative software used by clubs to manage member records, revealing that unauthorized access led to the exfiltration of personal data for an undisclosed number of individuals.
The Fédération Française de Football (FFF) is the governing body for soccer in France, responsible for organizing professional and amateur competitions, managing national teams, and overseeing licensing for more than 2.2 million registered members, including players, coaches, and volunteers.
The incident was disclosed following the detection of suspicious activity tied to a compromised user account. According to the FFF, the intrusion allowed threat actors to access a database containing sensitive details, including:
- Names
- Dates and places of birth
- Gender
- Nationality
- Postal addresses
- Email addresses
- Phone numbers
- Unique licensee identification numbers
In response, the FFF's internal teams promptly revoked the compromised account and reset all user passwords associated with the system. A formal complaint has been filed, and both the French data protection authority (CNIL) and the national cybersecurity agency (ANSSI) have been notified.
The affected system is part of the FFF's internal infrastructure used by France's 14,000 amateur clubs for managing over two million registered members. While the federation did not disclose the scale of the breach, the compromised data pertains directly to the individuals listed in the club administration system, suggesting a potentially wide impact that includes both amateur and professional participants in the sport.
As a preventive measure, the FFF has committed to informing all affected individuals whose email addresses were present in the leaked dataset.
In December 2024, it was reported that a threat actor was attempting to sell a database allegedly belonging to the FFF on a hacking forum. The listing claimed to include data on over 10 million individuals, far exceeding the number of currently registered members with the FFF.
Hackmanac
At the time, Hackmanac noted discrepancies in the numbers and speculated that the data could span multiple years or include multiple entries per person. A sample from the alleged leak appeared to show comprehensive personal details, including club transfer data from 2023. No definitive link between that dataset and the current breach has been established.
Users are urged to remain alert to potential phishing attempts impersonating the FFF, their clubs, or other sports-related entities. The federation recommends avoiding suspicious messages, especially those requesting sensitive information or prompting the download of attachments.
Leave a Reply