Cyber Incident Victim: Liverpool FC
Date:
Jul 2018
Location:
United Kingdom
Summary
Liverpool FC experienced a data breach when unauthorized third parties compromised a staff email account, exposing personal information of approximately 150 hospitality season ticket holders. Stolen data included names, email addresses, dates of birth, membership numbers, billing addresses, and bank details, though no fraudulent activity was confirmed. The organization secured the account, initiated an investigation, notified affected individuals and authorities, and established a support team while offering complimentary credit monitoring. Some impacted supporters criticized the response as insufficiently urgent, expressing concerns about potential financial repercussions despite club assurances of enhanced security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 19, 2018, Liverpool Football Club disclosed a data breach involving unauthorized third-party access to a staff email account, resulting in the theft of personal information belonging to approximately 150 hospitality season ticket holders. The compromised data included names, email addresses, dates of birth, membership numbers, and billing addresses stored in email attachments. While initial communications to affected supporters stated bank details were not exposed, a club representative later confirmed during phone conversations that bank account numbers and sort codes were also compromised. The breach occurred when malicious actors gained access to the email account containing sensitive supporter information. Liverpool FC detected the incident and promptly implemented measures to prevent further unauthorized access, though the exact timeline of intrusion discovery remains unspecified in public statements.
The club notified impacted individuals via email and established a dedicated response team to address inquiries, while also reporting the incident to UK data protection authorities and law enforcement. Affected supporters received offers of free 12-month Experian credit monitoring services. At least one season ticket holder reported inconsistencies in the club's communications regarding the scope of exposed data and expressed dissatisfaction with the responsiveness of club officials to their mortgage-related security concerns. The supporter described receiving multiple initial emails that downplayed the severity before learning about the full extent of compromised banking information during follow-up calls. Liverpool FC maintained there was no evidence of fraudulent activity stemming from the breach at the time of disclosure and emphasized ongoing system monitoring and security enhancements to prevent recurrence. The incident raised questions among affected supporters about broader vulnerabilities given the club's retention of sensitive data for tens of thousands of season ticket holders and hundreds of thousands of members.