Unknown hackers stole personal and financial information of supporters of Leicester City FC after gaining access to the club's online store between 23 April and 4 May this year.
During the time the hackers were inside the club's online system, they were able to steal financial information of supporters who visited the club's official retail store and entered their personal information. Such information included card numbers, expiry dates, CVV numbers, and cardholder names.
The security breach was discovered in May, following which Leicester City FC emailed affected users to inform them about the breach and also notified the Information Commissioner's Office. The club said it has also restored the security of its online systems after the breach was discovered.
"Last month, the Club discovered a criminal online security breach, which had compromised the personal and financial information of some users of its online retail platform between 23 April and 4 May, 2019," the Club said in a press release published on Saturday.
"All supporters potentially affected were immediately identified and contacted to alert them to the breach and to recommend appropriate action. Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets.
"In line with its GDPR responsibilities, the Club informed all necessary parties - including potentially affected users, the police and the Information Commissioners Office (ICO) - and launched an immediate investigation into the source of the breach. The investigation is currently on-going," it added.
The breach of the official Leicester City FC retail store is the second such security incident involving Premier League clubs following the arrival of the new Data Protection Act which mandates large fines for organisations that fail to secure the personal data of their customers and clients.
In August last year, West Ham football club leaked email addresses of hundreds of supporters when it sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon and pasted all the email addresses in the 'To' field instead of in the 'bcc' field.
"You may have received an email that included a segment of email addresses of those who were also successful in the ballot. The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner's Office.
"The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared. The Club will take the necessary steps to review and amend the process with the view to prevent this from happening again," the club said in an email to affected supporters.
Image source: lcfc.com