The website of West Ham United football club was recently found leaking the personal details of account holders to other users, reminding us of a similar incident involving the club that took place in 2018.
The data leak affecting the West Ham United website came to light shortly after the club announced its financial results for the year ending 31 May 2020. In the period, the club suffered losses to the tune of £65.3m due to the onset of the coronavirus pandemic which also resulted in the loss of £44.9m in broadcast income.
According to Forbes, the club’s website started displaying several error messages this morning and sometime later, began displaying the profile information of supporters to other users who logged in to their accounts. These details included fans’ names, phone numbers, dates of birth, addresses, and email addresses.
The online login was associated with the club’s online ticketing service but it is unlikely that many people logged in to their accounts as ticket sales are presently suspended due to the ongoing pandemic. The issue, however, did not last long as West Ham United rectified the leak soon after it learned about the incident.
“We are aware there was a technical issue when signing into online accounts this morning. We worked with our third-party service provider and they have already resolved this issue,” a club spokesperson told Forbes. However, the leak had already attracted a lot of attention from supporters before it was fixed. Here are some comments made by the club’s fans on its official fans’ forum:
“I’ve tried logging into the West Ham ticket website this morning to update my details and it seems to take me to different accounts. Three times it took me to accounts that weren’t mine, although I’ve only tried this on my iPad and phone, no idea what my computer will do, but it seemed fine yesterday. I’ve emailed the ticket office.”
“I’ve just tried it on desktop and I get the same…. My user ID took me to two different accounts from two login attempts….. they have some serious IT issues…”
“I’ve just logged in and there’s some completely random bloke’s details under my account. I’ve got his name, address, DOB, phone number and email address.”
“Same, I logged in and got a Stewart Knight’s details. Surely a massive GDPR breach.”
Commenting on the leak of West Ham United fans’ personal details to others, David Kennefick, Product Architect at Edgescan, told TEISS that this may just have been a few small isolated incidents, that impacted a minority of users. However, in case the breach affected a larger pool of users the club will presumably follow the usual protocols, and if there is a personal data breach the Information Commissioner’s Office (ICO) will be informed.
“The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts via email, text, and phone calls. Supporters will need to beware of any communications that appear to come from the club, as hackers will seek to extract more information (such as financial information) from the victims of the leak,” said Chris Hauk, consumer privacy champion at Pixel Privacy.
This incident reminds us of a similar leak that impacted the club’s reputation in 2018. In August that year, the email addresses of hundreds of the club’s supporters were exposed when it sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon. The leak occurred as the club pasted its fans’ email addresses in the “To” field instead of in the “bcc” field.
“You may have received an email that included a segment of email addresses of those who were also successful in the ballot. The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner’s Office.
“The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared. The Club will take the necessary steps to review and amend the process with the view to prevent this from happening again,” West Ham United said in an email addressed to affected fans.