English Premier League football club West Ham United appears to have accidently leaked personal data of supporters on its official website, potentially leaving fans exposed to phishing attacks.
As reported today by Forbes, multiple details of fans including full names, dates of birth, telephone numbers, address and email address were displayed when supporters attempted to log into their accounts on the club’s ticketing website.
The article stated that the official club website showed several error messages earlier today, including an admin message stating “Drupal already installed.” After the author created an account on the site and re-logged in with their credentials, the personal details of another West Ham supporter were displayed. A number of West Ham supporters reported similar experiences on the fans forum site KUMB.
In a statement, the club confirmed that the issue has now been resolved, with a spokesman saying: “We are aware there was a technical issue when signing into online accounts this morning. We worked with our third-party service provider and they have already resolved this issue.”
There is currently no suggestion that credit card or any other payment details have been exposed.
Cybersecurity experts believe it is likely the problem was caused by an internal error.
Javvad Malik, security awareness advocate at KnowBe4, commented: “All organizations of all sizes and in all verticals need to foster a culture of cybersecurity so that all aspects of security and design are taken into account. The leak at West Ham United is likely down to an internal error or misconfiguration, which is an easy enough error to make. Which is why it is important to have in place the proper security controls, particularly where customer data is concerned so that there can be assurance the data is being handled correctly.”
Under GDPR rules, West Ham should be directly contacting any supporters whose information was exposed. In the meantime, fans are advised to be on the lookout for unsolicited communications that contain links or requesting financial details.
Natalie Page, threat intelligence analyst at Talion, said: “The potential ramifications for West Ham United from this incident could be extremely costly. Since the introduction of GDPR, we have seen individual organizations fined as much as £42m, with an astonishing overall amount of £235m issued thus far against 533 organizations. For the West Ham United fans potentially affected by this breach, while the club should contact you directly, if your details have been exposed, be cautious and act as if your personal details have been breached until notified otherwise.
“Be alert to incoming texts, calls and emails utilizing the information shared in this incident from unknown sources demanding further personal information or payment. Also consider the password you utilize for this account, if this has been duplicated on other personal accounts, this should be changed promptly.”
Football clubs have been increasingly targeted by cyber-criminals in recent years. In 2020, the NCSC claimed that one Premier League football club nearly lost a £1m transfer fee to scammers, while Manchester United was hit by a suspected ransomware attack in November last year.