West Ham United unwittingly leaked the data of its supporters earlier this month due to a “technical error” while accessing the ticketing system.
The security breach, which has reportedly now been resolved, exposed supporters’ information, including their full name, date of birth, mobile telephone number, address and email address, leaving them vulnerable to phishing attacks.
During the issue, fans were met with several error messages when attempting to access the Premier League club’s ticketing website. Supporters also reported seeing an admin message stating “Drupal already installed.”
Many fans on West Ham supporters forum KUMB reported being shown the personal details of another West Ham supporter, though there is no evidence that credit card information has been revealed.
At the time, Jake Moore, a cybersecurity specialist with security firm ESET, told Forbes: “This is likely to have been an internal error which took the club by surprise, but now with account holders seeing other people’s personal information, there could be further potential problems.
“Not only could this arise in a GDPR issue, it seems like it would be difficult to know who has seen what information and they could be potentially at risk of future targeted phishing emails. I would suggest anyone with an account to remain vigilant to any emails requesting further details.”
Following the incident, a spokesperson for West Ham said: “We are aware there was a technical issue when signing into online accounts this morning. We worked with our third-party service provider and they have already resolved this issue.”
The Daily Mail newspaper has reported that the breach was a result of a third-party service provider making technical alterations to the site. It also said the club has contacted those affected and is reviewing the problem and applying further security measures.
The news comes amid a rise in cyber attacks against football clubs in recent months, with Manchester United being hacked in November. The threat, believed to have originated from an email phishing scam, saw data gleaned by “organised cyber criminals”, who attempted to hold the club to ransom for millions of pounds.