Cyber Incident Victim: World Rugby

On May 3, 2018, World Rugby detected unauthorized access to the subscriber database of its training and education portal, a platform used globally by players, coaches, and parents for accessing training drills, technique guides, and injury prevention resources. The attackers exfiltrated subscriber data including first names, email addresses, and encrypted (hashed) passwords. World Rugby immediately suspended access to the affected sites and databases upon discovery, isolating the breach to prevent further compromise. Forensic investigations confirmed that the main World Rugby website (worldrugby.org), which housed Rugby World Cup ticketing data, fan information, and player disciplinary records, remained unaffected. The organization engaged data security and technology experts to analyze the incident’s scope and origin, though the motive—whether random data theft or targeted espionage—remained unclear. By May 12, the training portal remained offline as diagnostics continued.

The breach impacted thousands of subscribers across World Rugby’s grassroots network. Subscribers received direct email notifications detailing the accessed information, with reassurances that encrypted passwords minimized immediate misuse risks. Users were advised to change passwords upon the portal’s reactivation, though some expressed frustration over the inability to do so during the outage. World Rugby reported the incident to Ireland’s Data Protection Commissioner, complying with regulatory obligations ahead of the EU’s GDPR enforcement deadline (May 25, 2018). Had the breach occurred post-GDPR, the organization could have faced fines up to €10 million. Internal investigations identified the breach’s cause, which was isolated and remediated. World Rugby emphasized its commitment to data protection, citing immediate containment actions, ongoing collaboration with regulators, and enhanced security measures to prevent recurrence.