Cyber Incident Victim: Datasport

On January 22, 2024, Swiss sports services company Datasport suffered a cyberattack resulting in the theft of personal data belonging to up to one million amateur athletes. The compromised dataset included names, telephone numbers, and email addresses, though the company confirmed no security-sensitive information such as passwords or financial payment details were accessed. Datasport CEO Thomas Bachofner stated most affected information was voluntarily published by users on the Datasport.com platform and therefore already publicly accessible. Initial assessments indicated only limited records were compromised, but subsequent investigation revealed the breach's full scale. By late January, a data package containing approximately 1.3 million records appeared for sale on a hacker forum, with over 900,000 entries linked to Swiss residents and the remainder attributed to individuals from neighboring countries.

The intrusion occurred on January 22, though Datasport did not immediately recognize the attack's magnitude. Criminal actors gained unauthorized access to athlete profiles created through Datasport's platform, which manages registration processes, timing systems, and bib number distribution for mass participation sports events. While the company emphasized the non-sensitive nature of most stolen data, the exposure of contact details creates potential risks for targeted phishing or spam campaigns against affected individuals. No evidence suggests operational systems supporting race timing or results services were compromised. Datasport's public response focused on clarifying the breach scope and reiterating that user-published information constituted the majority of exfiltrated data, with no indication of deeper system infiltration beyond athlete profile records.