Cyber Incident Victim: Fédération Française de Tir à l'Arc

On January 20, 2025, the Fédération Française de Tir à l'Arc (FFTA) was notified of a personal data breach that occurred earlier that month. The incident originated from a security vulnerability exploited at their third-party service provider, which managed license holder and official portals for multiple sports federations. Malicious actors leveraged this flaw to access sensitive personal information belonging to FFTA license holders. Compromised data included full names, genders, dates of birth, postal addresses, telephone numbers, email addresses, and profile photographs. The federation confirmed that encrypted passwords for licensee and official accounts remained uncompromised but announced planned password resets as a precautionary measure. FFTA's investigation determined attackers infiltrated systems through a specific security gap, though the exact date of initial intrusion was not disclosed in public communications.

Upon discovery, FFTA and its provider implemented immediate corrective actions: identifying and neutralizing the malicious file responsible for the breach, securing the compromised entry point, and enhancing technical security measures across the provider's systems. The federation formally reported the incident to France's data protection authority (CNIL) and filed a legal complaint, though specific jurisdictional details were not provided. An external security audit was commissioned to evaluate potential vulnerabilities and improve the provider's data management processes. While financial or identity documents were not confirmed as compromised, the breach exposed sufficient personal data to enable targeted phishing or social engineering attempts against affected individuals. FFTA issued a public apology acknowledging the incident's impact but did not disclose the total number of affected license holders or specify whether data appeared on illicit platforms following the breach.