Cyber Incident Victim: Charlton Athletic
Date:
Aug 2024
Location:
United Kingdom
Summary
Charlton Athletic experienced a ransomware attack targeting their legacy accounting system, resulting in significant financial data loss and operational disruptions. The incident compromised financial records and temporarily hindered business activities, though insurance coverage mitigated direct monetary damages. The attack necessitated a disclaimer in the club’s financial accounts due to unrecoverable data affecting reporting accuracy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 6 August 2024, Charlton Athletic Football Club experienced a ransomware cyber attack targeting its legacy accounting system, which had been operational since 31 October 2023. The attack resulted in the deletion of significant financial data, rendering critical records inaccessible for business operations. While the club confirmed the direct financial consequences were mitigated through an insurance policy covering the incident’s final impact, the breach caused operational disruptions extending beyond immediate financial losses. Specifically, the ransomware incident compromised the integrity of the club’s financial records and interfered with broader organizational activities, though the technical scope of affected systems beyond the accounting platform was not detailed in public disclosures. The attack’s timing coincided with the club’s preparation of its 2023-24 financial accounts, forcing Charlton to include a formal disclaimer in filings submitted to Companies House acknowledging the cyber incident’s distorting effect on reported data.
Financial disclosures revealed Charlton Athletic sustained a £14 million loss during the 2023-24 fiscal year, representing a 48% increase over the previous year’s deficit, alongside an annual revenue decline from £9.8 million to £8.81 million. Although the ransomware attack’s direct monetary damage was insured, the data destruction necessitated accounting adjustments and complicated financial reporting processes. The incident occurred under the ownership of SE7 Partners, a consortium led by former Sunderland director Charlie Methven that had acquired the club from Thomas Sandgaard in July 2023—approximately 13 months prior to the breach. No operational details regarding attack attribution, ransom demands, data recovery methods, or network containment procedures were disclosed publicly. The cyber attack’s secondary consequences remained confined to disruptions in financial record-keeping and unspecified ancillary business functions, with no reported compromise of fan data, match operations, or stadium infrastructure.