The breaches at Bologna Calcio and the San Siro Stadium. Pirates from the RansomHub group publish some of the stolen documents on the Dark Web and demand the Serie A club to pay a ransom.
“One of the largest data breaches in the history of Italian sports,” according to Ransomfeed’s cybersecurity experts echoed by the National Daily.
Let’s talk about theransomware attack to Bologna Calcio that occurred last Friday by the RansomHub group, to which was added the attack on the San Siro Stadium by the Bashe cyber-gang, which claimed to have hacked the servers of the company that runs it, although official confirmation from the victim is still lacking.
Bashe, meanwhile, says on its website that it has exfiltrated a terabyte of data from the company that runs Italy’s most famous stadium, comparable to more than 250 thousand high-resolution photos or 85 million Word documents. No word yet on the ransom demand, however.
In the case of the Bologna soccer team, however, the claim came from the criminal group known as RansomHub, which, on its website, spoke of more than 200 gigabytes of sensitive information being stolen.
These would include: sponsorship contracts and financial strategies; personal data of players, employees, and fans; player contracts and personal data of coach Vincenzo Italiano (passport and IBAN); season ticket data; transfer strategies and young talent management; confidential medical data; business plans and corporate strategies; information on infrastructure and stadiums; and documents potentially in violation of FIFA and UEFA regulations.
The news was made known by the company itself with the release of a statement which reads:
“Bologna Football Club 1909 Spa announces that its security systems were recently subjected to a ransomware-type cyber attack, on a cloud server and in the internal perimeter. This criminal action resulted in the theft of company data that could be subject to publication. Therefore, anyone who comes into possession of it is warned not to disseminate or share or make any other use of such data as it is the result of crime.”
RansomHub, in addition to threatening to publish the stolen data by Sunday and demanding ransom for not doing so, also accused Bologna of having such weak security measures as to violate the GDPR i.e., the European Union’s General Data Protection Regulation, and reminded how the penalties resulting from the aforementioned violation could reach 20 million euros or 4 percent of the company’s global turnover.
The RansomHub Group, which has been operational since February 2024, uses the Ransomware-as-a-Service (RaaS) business model that incentivizes ransomware attacks on a global scale and rapid gains. As many as 22 extortions are currently active on its platform, and the group’s propensity to publish the data of victims who do not pay is evident.
The Bologna calcio club is therefore in a brain-dead impasse these days: pay and give in to the blackmail of the criminals, and thus suffer the economic damage, or do not do so while risking legal damages (arising from potential litigation), and reputational, but also fiscal and sporting (the risk of disqualification from events or championships).
In addition, there is the GDPR violation, as pointed out by the criminals themselves. The attack qualifies intact as a “personal data breach” (data breach), understood as “a security breach that accidentally or unlawfully results in the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.”
The Authority could therefore decide to initiate an inspection process, aimed at ascertaining the Club’s responsibilities and non-compliance with GDPR regulations.
“The one against Bologna,” notes the Ransomfeed expert collective, “was the 135th ransomware attack this year against an Italian entity. In all, more than 25 terabytes of data were published in 2024. A huge amount on which serious reflection should be started. We are the fourth country in the world in terms of the number of ransomware attacks, the first in Europe. What has not been done in recent years? What is the National Cybersecurity Agency dealing with? Also because the biggest bill, almost always, is ultimately paid by ordinary citizens, whose personal data is resold and often used to organize scams.”
As for the specific case, the origin of the flaw and whether it was inadequate defenses or an employee’s error attributable, therefore, to the human factor is still unclear.
But according to Ransomfeed, “the real problem is that a major entity like Bologna cannot be caught off guard like this. They are the first culprits for what has happened: clearly the investment in digital security and staff training is insufficient. A club that spends tens of millions on hires cannot fail to invest at least a couple of millions in cybersecurity. This is not acceptable.”
We certainly do not want to rage at those who have already suffered such serious harm here. What can be said, however, is that there is absolutely no lagging behind on security today. Cybercrime is becoming more and more prevalent, and the risks involved are too high, both in economic and reputational terms.
Technological measures, however, though necessary, are not enough. The human factor is more often than not, the one responsible for violations. All it takes is naivety or distraction to cause very serious damage to one’s company. That is why it needs to be strengthened and turned into the first line of defense. A knowledgeable staff, which follows quality training and constantly trains to recognize crime and stop it in time, is the best guarantee for a future safe from attacks and troubles such as the ones that Bologna Calcio is in these days.
