Cyber Incident Victim: Paris Saint-Germain
Date:
Apr 2024
Location:
France
Summary
The Paris Saint-Germain football club experienced a cyberattack targeting its online ticketing system, involving unusual access attempts to its website. The club detected and resolved a vulnerability within 24 hours, implementing additional security measures. Compromised data included personal identifiers such as names, email and postal addresses, mobile numbers, birth dates, account statuses, and partially masked IBAN numbers, while gift card credentials were accessed and subsequently renewed. No evidence confirmed data extraction or exploitation by malicious actors, though the club proactively notified potentially affected individuals and reinforced its website security protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 3, 2024, Paris Saint-Germain (PSG) experienced a cybersecurity incident targeting its online ticketing system during preparations for an upcoming UEFA Champions League quarter-final match against Barcelona. The club detected unusual access attempts to its databases, prompting an investigation that identified a vulnerability in the system. PSG resolved the issue within 24 hours of discovery and implemented additional security measures to prevent further unauthorized access. The club proactively notified all individuals in its databases via email, disclosing the incident despite no confirmed evidence of data exfiltration or malicious exploitation. This notification fulfilled legal obligations to inform potentially affected parties, though PSG did not specify whether any accounts were definitively compromised during the breach.
The cyberattack exposed personal data including full names, email addresses, physical addresses, mobile numbers, dates of birth, and account statuses. Partial IBAN numbers (with only the last three digits visible) and gift card identifiers were also accessible to attackers, though PSG confirmed these financial details were not fully exposed or utilized maliciously. As a precaution, the club renewed all compromised gift card credentials to invalidate potential unauthorized access. No detrimental effects to supporters or ticketing system users were reported following the incident. PSG emphasized continuous security enhancements to its digital infrastructure following the breach, focusing on strengthening database protections against future intrusion attempts while maintaining operations for upcoming matches and events.