SportAdmin is a Swedish cloud-based system used by sports clubs in Scandinavia to manage members, activities, and payments. In January 2025, the system was hacked. The attacker gained access to data about 2.1 million individuals – the vast majority being children and adolescents. Names, contact information, social security numbers, the sports they participated in, and their team affiliations. In addition, health information and, in some cases, information about individuals with hidden addresses. Everything was published on the Darknet.
The Swedish Data Protection Authority IMY found that SportAdmin did not have adequate security for the data they processed. The company lacked systems for detecting intrusions in real time. IMY also found that SportAdmin was aware security vulnerabilities and elevated risk before the breach—but had not acted sufficiently.
The boat was 6 million Swedish kronor.
Practical point: Does your organization use a cloud-based system for member data — especially regarding children? Ask the vendor three things: do they have intrusion detection, when was the last security audit conducted, and what is the procedure for notifying you in the event of an incident. The answers will tell you if the data is sufficiently protected.
Inspired by: Love you