Cyber Incident Victim: Classic Football Shirts

On July 8, 2021, Classic Football Shirts, a Manchester-based retailer specializing in vintage football apparel, experienced a cybersecurity incident involving unauthorized access to customer data through a third-party provider’s systems. The breach led to phishing emails being sent to customers at approximately 20:00 BST on July 8, falsely offering cashback on previous orders. These emails originated from the address [email protected], which contained an extra ‘s’ compared to the legitimate domain (classicfootballshirts.co.uk). The company detected the fraudulent activity at 20:30 BST—30 minutes after the emails were dispatched—and promptly advised customers via social media not to interact with the links. Classic Football Shirts clarified that payment information and passwords remained uncompromised, as card details were never stored on their systems. They instructed affected individuals to contact their banks to cancel cards if they had submitted financial information through the phishing form.

The incident exposed customer names, email addresses, physical addresses, and order histories, triggering widespread concern among clients. Multiple customers reported the phishing attempt’s deceptive domain structure, while one verified victim, Fernando Paredes, confirmed a fraudulent $700 (£504) transaction after interacting with the link. His bank initiated an investigation following the card cancellation. Customers criticized the company’s data protection measures as “unprofessional” and expressed apprehension about the third-party provider’s security vulnerabilities. Classic Football Shirts publicly apologized for the “inconvenience caused” and emphasized ongoing vigilance but did not disclose the breach’s scale or identify the compromised vendor when queried by the BBC. The company, founded in 2006, maintained its reputation as a global supplier of retro football kits despite the operational disruption and reputational impact stemming from the attack.