Bologna FC 1909, a prominent Italian football club, has fallen victim to a ransomware attack targeting its internal security systems. The attack, claimed by the ransomware group “RansomHub,” has resulted in the theft of extensive club data, including sensitive information about players, sponsors, and financial operations. The club has confirmed the breach in an official statement and has warned against the unlawful possession or dissemination of the stolen data.
RansomHub’s threats
RansomHub, the group claiming responsibility, announced the breach earlier this month, alleging that Bologna FC’s lax security measures enabled them to extract an alarming volume of data. The stolen files reportedly include:
- Personal and medical records of players.
- Financial information covering the club's entire history.
- Sponsorship contracts and associated conditions.
- Confidential transfer strategies and data on youth athletes.
- Commercial strategies, business plans, and stadium-related documents.
The threat group has threatened to release this data publicly unless the club engages in negotiations. Their statement further highlights potential GDPR violations, which could subject Bologna FC to fines of up to €20 million or 4% of its global turnover.
RansomHub cited high-profile football data leaks, such as those affecting FC Barcelona and Manchester City, as cautionary examples of the financial and reputational damage that could follow.
The stolen data have now been leaked in full on a separate link.
Bologna FC’s response
In its official communication, the club acknowledged the attack,
stating:
“The crime resulted in the theft of company data which may appear online. Please be warned that it is a serious criminal offense to be in possession of such data or facilitate its publication or diffusion.”
Bologna FC 1909, based in Bologna, Italy, competes in Serie A, Italy's top-tier football league. The club is known for its storied history, boasting seven Serie A titles. Its operations, which include managing sponsorships, player contracts, and stadium facilities, have now been significantly disrupted by the breach.
The leaked data poses severe risks to the club and its stakeholders. The exposure of confidential contracts and medical data could lead to lawsuits and damaged trust. Also, GDPR violations may invite heavy fines and sanctions.
In any case, this attack underscores the vulnerability of large sports organizations, which often manage sensitive and high-value data, but have fallen behind in what concerns data protection strategies and cybersecurity in general.
