Leeds United apologise as they reveal cyber attack compromised customer card details

In a statement the club say they have been in contact with all of those directly impacted and continue to work with the Informational Commissioner’s Office. They also say measures have been put in place to recover from the attack, which took place late last month.

“Leeds United suffered a cyber-attack between 19th and 24th February 2025, targeting the retail website, resulting in the card details of a small number of customers being compromised,” said a statement.

“The club has communicated with all of those directly impacted and is continuing to work with the Information Commissioner’s Office. A forensic investigation was undertaken by a specialist third-party as soon the club discovered the breach, and measures were implemented to stop and recover from the attack. The club is disappointed that the attack was successful despite layers of cyber security, and offer our sincere apologies to anyone who has been adversely affected.”

READ: Leeds United flashpoint cited by Arne Slot in post-Everton red card plea

Back in September it was reported by The Daily Mail that the EFL had alerted clubs following cyber attacks led to breaches at Bristol City and Sheffield Wednesday. The Mail reported that EFL clubs elisted the help of third party agencies to deal with an ‘increasingly troubling’ issue with hackers targeting big clubs looking for data of season ticket holders. Emails sent from the club addresses of senior officials at Bristol City and Sheffield Wednesday were the work of hackers, leading the EFL to send an alert to all clubs warning them not to open emails from those officials.

League One Charlton Athletic also reported in a statement in September that they had experienced an IT security incident, saying: “Charlton Athletic can confirm that the club has experienced an IT security incident, which has affected our legacy IT infrastructure as we recently migrated all core systems onto the cloud. In line with our cyber security protocols, we have taken swift action to stop the incident and are now working with external security specialists to investigate further.”

The Mail piece referenced Leeds United’s efforts to respond to the threat, reporting: “Leeds United appear to be among those leading the response. The club’s information security manager, Graham Peck, is creating a list of cyber security contacts at each side to ensure information is shared and to aid prompt responses.”