Millions of amateur football players in France may have seen their personal data exposed after the French Football Federation (FFF) suffered a cyber-attack.
In a statement published on November 26, the FFF said it detected unauthorized access to the software platform used by all licensed football clubs in the country to manage administrative tasks, including registering their players with the federation.
The exposed data includes:
Names
Genders
Dates of birth
Birth locations
Nationalities
Postal addresses
Email addresses
Phone numbers
Football license ID number
The FFF believes the intrusion occurred on November 20.
“As soon as the FFF services detected this unauthorized access via a compromised account, they took the necessary steps to secure the software and data, including immediately deactivating the affected account and resetting all user account passwords,” the statement said.
The FFF filed a complaint with the French authorities and notified the French Data Protection Agency (CNIL) and the French Cybersecurity Agency (ANSSI).
It also plans to inform every affected individual whose email address was in the compromised database.
The federation urged all football license holders in France to stay vigilant against phishing scams following the incidents, with SMS and emails purportedly coming from the federation or their football club that could be used in scams.
The FFF reported a record number of over 2.3 million football license holders in the country fo
Source: https://www.infosecurity-magazine.com/news/french-football-federation-data/
TPRM report: https://www.rankiteo.com/company/the-football-association
"id": "the1764331072",
"linkid": "the-football-association",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 2.3 million '
'football license '
'holders',
'industry': 'Sports',
'location': 'France',
'name': 'French Football Federation (FFF)',
'size': None,
'type': 'Sports Federation'}],
'attack_vector': 'Compromised Account',
'customer_advisories': 'Affected individuals to be notified via '
'email; advised to watch for phishing '
'attempts.',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Likely (data exposed via '
'unauthorized access)',
'file_types_exposed': None,
'number_of_records_exposed': 'Over 2.3 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information (PII)',
'Administrative '
'Data']},
'date_detected': '2023-11-20',
'date_publicly_disclosed': '2023-11-26',
'description': 'Millions of amateur football players in France '
'may have had their personal data exposed after '
'the French Football Federation (FFF) suffered a '
'cyber-attack. Unauthorized access was detected '
'on the software platform used by licensed '
'football clubs to manage administrative tasks, '
'including player registrations. The exposed data '
'includes names, genders, dates of birth, birth '
'locations, nationalities, postal addresses, '
'email addresses, phone numbers, and football '
'license ID numbers. The FFF took immediate steps '
'to secure the system, notified authorities, and '
'plans to inform affected individuals.',
'impact': {'brand_reputation_impact': 'Potential risk due to '
'exposure of sensitive '
'personal data and warning '
'about phishing scams',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Names',
'Genders',
'Dates of Birth',
'Birth Locations',
'Nationalities',
'Postal Addresses',
'Email Addresses',
'Phone Numbers',
'Football License ID Numbers'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (due to exposure of '
'personally identifiable '
'information)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Software platform used by '
'licensed football clubs for '
'administrative tasks']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Compromised user '
'account',
'high_value_targets': ['Player '
'registration '
'database'],
'reconnaissance_period': None},
'investigation_status': 'Ongoing (authorities notified, '
'complaint filed)',
'post_incident_analysis': {'corrective_actions': ['Deactivated '
'compromised '
'account',
'Reset all '
'user '
'passwords',
'Notified '
'regulatory '
'bodies and '
'affected '
'individuals'],
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Enhance account security measures (e.g., '
'multi-factor authentication)',
'Monitor for phishing attempts targeting '
'affected individuals',
'Conduct a thorough review of access '
'controls and user account management'],
'references': [{'date_accessed': '2023-11-26',
'source': 'French Football Federation (FFF) '
'Public Statement',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': ['Filed complaint '
'with French '
'authorities'],
'regulations_violated': None,
'regulatory_notifications': ['Notified '
'CNIL '
'(French '
'Data '
'Protection '
'Agency)',
'Notified '
'ANSSI '
'(French '
'Cybersecurity '
'Agency)']},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Public statement on '
'November 26, 2023',
'Filed complaint with '
'French authorities',
'Notified CNIL (French '
'Data Protection Agency) '
'and ANSSI (French '
'Cybersecurity Agency)',
'Plans to inform every '
'affected individual via '
'email',
'Urged license holders '
'to stay vigilant '
'against phishing scams'],
'containment_measures': ['Deactivated the '
'compromised account',
'Reset all user account '
'passwords'],
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'stakeholder_advisories': 'FFF urged all football license '
'holders to stay vigilant against '
'phishing scams (SMS/emails '
'impersonating FFF or clubs).',
'title': 'French Football Federation (FFF) Cyber Attack Exposes '
'Personal Data of Millions of Amateur Players',
'type': 'Data Breach'}