The French Football Federation (FFF) disclosed a data breach on Friday after attackers used a compromised account to gain access to administrative management software used by football clubs.
After detecting the unauthorized access, FFF's security team disabled the compromised account and reset all user passwords across the system.
However, before they were detected and evicted from the breached systems, the threat actors stole personal and contact information from members of French football clubs.
"Upon detection of this unauthorized access through the use of a compromised account, the FFF services took the necessary steps to secure the software and data, including immediately disabling the account in question and resetting all user account passwords," the FFF said [machine translation].
"This breach is limited to the following data only: name, surname, gender, date and place of birth, nationality, postal address, email address, telephone number and license number."
As required under European data protection regulations, the organization has filed a criminal complaint and notified France's National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL), the country's data protection authority.
The FFF said it will directly notify all individuals whose email addresses appear in the compromised database and urged members to be suspicious of messages claiming to originate from the federation, their clubs, or other senders.
French footba
TPRM report: https://www.rankiteo.com/company/fff-academy-saudi-arabia
"id": "fff1764353510",
"linkid": "fff-academy-saudi-arabia",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Members of French '
'football clubs '
'(exact number '
'unspecified)',
'industry': 'Sports (Football)',
'location': 'France',
'name': 'French Football Federation (FFF)',
'size': None,
'type': 'Sports Governing Body'}],
'attack_vector': 'Compromised Account',
'customer_advisories': 'Direct notifications to affected '
'individuals via email',
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally '
'identifiable '
'information)',
'type_of_data_compromised': ['Personal '
'Information',
'Contact '
'Information']},
'date_publicly_disclosed': '2023-11-17',
'description': 'The French Football Federation (FFF) disclosed a '
'data breach after attackers used a compromised '
'account to gain access to administrative '
'management software used by football clubs. '
'Before detection, threat actors stole personal '
'and contact information from members of French '
'football clubs. The FFF secured the system by '
'disabling the compromised account and resetting '
'all user passwords. The breach was limited to '
'data such as names, surnames, gender, date and '
'place of birth, nationality, postal address, '
'email address, telephone number, and license '
'number. The FFF filed a criminal complaint and '
'notified ANSSI and CNIL as required by European '
'data protection regulations.',
'impact': {'brand_reputation_impact': 'Potential risk due to '
'exposure of personal data',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Name',
'Surname',
'Gender',
'Date of Birth',
'Place of Birth',
'Nationality',
'Postal Address',
'Email Address',
'Telephone Number',
'License Number'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (personal data exposed)',
'legal_liabilities': 'Criminal complaint filed; '
'notifications to ANSSI and CNIL '
'under GDPR',
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Administrative management '
'software used by football '
'clubs']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Compromised account',
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing (criminal complaint filed; '
'regulatory notifications made)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'BleepingComputer (or original FFF '
'statement)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': ['Criminal complaint '
'filed'],
'regulations_violated': ['GDPR '
'(General '
'Data '
'Protection '
'Regulation)'],
'regulatory_notifications': ["France's "
'National '
'Cybersecurity '
'Agency '
'(ANSSI)',
'National '
'Commission '
'on '
'Informatics '
'and '
'Liberty '
'(CNIL)']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Direct notification to '
'individuals whose email '
'addresses were in the '
'compromised database',
'Advisory to members to '
'be suspicious of '
'phishing messages'],
'containment_measures': ['Disabled compromised '
'account',
'Reset all user passwords '
'across the system'],
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'stakeholder_advisories': 'Members advised to be cautious of '
'phishing attempts',
'title': 'French Football Federation (FFF) Data Breach',
'type': 'Data Breach'}