A troubled season for Leicester City FC just got worse, with the club announcing that a cyber criminal has broken into the club’s online shop and stolen fans’ financial details.
The breach occurred between 23 April and 4 May 2019, potentially affecting anyone who has made a purchase through shop.lcfc.com.
Cardholder names, card numbers, expiry dates and CVV numbers were all compromised.
A swift response
The club responded to the incident promptly, notifying the ICO (Information Commissioner’s Office) of the breach and posting a notice on the club shop website. It later emailed customers with a statement providing further details.
“Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets,” the statement read.
“The club has been in direct contact with all users that were potentially affected by this breach,” it added.
A GDPR penalty?
Both Leicester City FC and the ICO are investigating the breach, which may well reveal violations of the GDPR (General Data Protection Regulation) and the PCI DSS (Payment Card Industry Data Security Standard).
The GDPR states that organisations must take “appropriate technical and organisational measures” to secure EU residents’ personal data. There are many ways to mitigate the risks of a data breach.
One of the most effective methods is encryption, which is not only recommended for GDPR compliance but is also an explicit requirement of the PCI DSS.
Regardless, the club will have to answer why it stored card numbers and expiry dates alongside CVV numbers.
Whereas card numbers and expiry dates are needed to complete transactions, CVV numbers are a security protocol to ensure that the person making the purchase possesses the payment card. Even when you save card details when making purchases, you should be asked to enter the CVV number during every visit.
Cyber criminals with access to payment details and CVV numbers will have much greater freedom when making fraudulent purchases. Indeed, some Leicester fans have said that fraudulent transactions were made on their credit cards soon after the attack.
If the club is found to have violated the GDPR, it could face a fine of up to €20 million (£17.8 million; about two Marc Albrightons).
The potential for a penalty of 4% of the organisation’s annual global turnover doesn’t apply in this instance, because Leicester City made about £159 million last year, 4% of which is much lower than the flat-rate fine.
It’s time to take the GDPR seriously
The GDPR has been in effect for just over a year now, and the UK is still awaiting a landmark fine that will make organisations sit up and take notice.
That fine is coming soon, and it will open the floodgates for GDPR enforcement actions. If your organisation is to avoid getting caught out, you must act soon.
You can learn everything you need to protect the personal data you store and avoid regulatory penalties by enrolling on our Certified EU GDPR Foundation Training Course.
This one-day course provides a comprehensive introduction to the GDPR and gives you a practical understanding of the implications and legal requirements for organisations.
This course is available in locations throughout the UK.