Cyber Incident Victim: Fédération Française de Football
Date:
Mar 2024
Location:
France
Summary
The Fédération Française de Football experienced a significant cyberattack resulting in the theft of personal data belonging to approximately 1.5 million license holders, primarily from recent seasons, though the attacker claimed possession of 10 million records. Compromised information included names, birth details, contact information, and license numbers, but excluded financial, medical, or password data. The breach raises concerns over targeted phishing campaigns and identity theft risks, with affected individuals being notified in compliance with data protection regulations. This incident occurred amid a surge in cyberattacks targeting French entities, including other large-scale data leaks and disruptive denial-of-service operations against government networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 22, 2024, the French Football Federation (FFF) experienced a significant cybersecurity breach resulting in the theft of personal data belonging to its license holders. The attack was publicly disclosed on March 26 by Cybermalveillance, the French government’s digital security agency, which confirmed the extraction of 1.5 million records. The compromised data pertained exclusively to license applications for the 2022-2023 and 2023-2024 seasons and included names, genders, dates and places of birth, nationalities, legal guardian details for minors, postal addresses, email addresses, phone numbers, license numbers, and affiliated clubs. The hacker responsible claimed possession of data for 10 million individuals—a figure exceeding both the FFF’s reported 2.3 million active licenses in January 2024 and Cybermalveillance’s confirmed impact scope—and advertised the dataset for sale on a specialized cybercrime forum. Cybernews validated a sample of the stolen data as authentic, though discrepancies between the hacker’s assertions and official estimates raised questions about potential inclusion of historical records from players, clubs, or volunteers beyond the two most recent seasons.
Cybermalveillance clarified that passwords, banking information, medical records, and identity photographs remained uncompromised. The FFF initiated GDPR-mandated individual notifications to affected license holders following the breach. Authorities warned that the stolen data elevated risks of personalized phishing campaigns leveraging localized club affiliations (e.g., fraudulent emails impersonating regional coaches) and identity theft. This incident occurred amid heightened cyber threats targeting French entities in March 2024, including a separate breach at France Travail exposing 43 million benefit recipients’ data and distributed denial-of-service (DDoS) attacks against the French state’s interministerial network. No technical details regarding the attack vector, intrusion detection timeline, or containment measures were disclosed in available reporting.