Sportadmin Fined 6 Million Kronor for Massive Data Breach Affecting 2.1 Million

The Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) has fined Sportadmin 6 million kronor due to a substantial data breach that compromised personal information of over 2.1 million individuals. This breach, revealed following an investigation launched after the 2022 incident, exposed names, contact details, personal identification numbers, and sensitive health information, including data of children, young people, and high-profile figures such as Prince Carl Philip, whose secret online alias was also leaked.

IMY's probe uncovered significant technical and organizational shortcomings at Sportadmin, with the company reportedly aware of vulnerabilities before the breach. The attack, orchestrated by the ransomware group Ransomhub, exploited outdated systems and a technical error from 2022, using a known hacking method linked to web forms. Though the attack aimed to extort money by threatening to leak data on the darknet, Sportadmin denies having paid any ransom.

IMY Director Eric Leijonram emphasized that while IT attacks can't be entirely prevented, organizations must uphold security standards appropriate to the sensitivity of the data they manage. The breach's impact, involving protected individuals and members of the royal family, underscores the critical need for robust cybersecurity measures.

This fine marks a significant enforcement of GDPR compliance in Sweden, spotlighting the consequences of inadequate data protection.