-
SportAdmin, a Swedish sports software company, got hit with a €565,000 (over 675,000 USD) fine after a simple hack early last year exposed the personal data of more than 2.1 million people—most of them kids.
-
The breach exposed highly sensitive information of users, including Social Security numbers, family info, and private health details like allergies and disabilities, all dumped on the dark web by hackers.
-
Sweden’s data regulator called the company out for not employing enough security measures – they said SportAdmin lacked sufficient code routine checks, gave users way too many system permissions, and its threat monitoring failed to detect the breach in real time.
Popular sports app company in Sweden, SportAdmin, is under fire after a data breach exposed millions of sensitive data points of users, the majority being children’s information.
Sweden’s data protection authority has now imposed a fine on the firm. The fine serves as a penalty to the company for fumbling in its responsibility to provide basic digital security that’ll keep user information safe.
Data Breach Caused by Lax Security
Hackers broke into SportAdmin back in January last year, and they didn’t use anything fancy. It was just a basic SQL injection—an old trick where you feed bad code into a site’s input fields and slip past the defenses. Most companies can block this with simple routine security steps.
While investigating the incident, the Swedish Data Protection Authority (IMY) discovered that SportAdmin had dropped the ball on basic security. The company didn’t comply with Article 32 of the GDPR, which says companies have to put proper security in place to protect people’s personal data.
The investigation revealed multiple clear failures. The company had insufficient protection against these common SQL injection attacks. Its code review process was weak, especially for older systems. Most critically, its security monitoring didn’t catch the hack as it happened.
To make matters worse, users inside the system had excessive access permissions. This allowed the hackers to reach far more data once they breached the initial defenses.
Personal Data of Millions Exposed
The real impact of this breach is in how large and sensitive the exposed personal information is. The hackers got their hands on the data of more than 2.1 million individuals, most of them being minors. The incident echoes a recent major breach at another Swedish IT firm, which exposed data belonging to 1.5 million people.
This wasn’t just names and email addresses. The stolen data cache included:
- Swedish Social Security numbers
- Details on guardians and family relationships
- Sports club membership information
- Very confidential and sensitive health records, information on allergies and disabilities inclusive.
By March last year, the threat actors had leaked the entire info on the dark web. The people whose information is part of the leaked stash are at risk of becoming the target of phishing scams and identity fraud, which could cost them serious financial losses.
In response, SportAdmin says it shut services down quickly, later added a Web Application Firewall (WAF), cooperated with the authority, and alerted affected clubs and families.
Lessons to Be Learned from SportAdmin’s Woes
Despite its response, the IMY issued a €565,000 fine (equivalent to more than 675,000 USD). The authority cited the company’s negligence and the massive scale of the incident.
Eric Leijonram, Director at IMY, summarized the core issue: “IT attacks can never be completely ruled out, but you are obliged to have a level of security adapted to the personal data you handle. SportAdmin has not had it.”
This statement is crucial. The law doesn’t expect companies to be unhackable. It requires them to have security that matches the sensitivity of their data. Holding children’s private health and identity data demands robust, proactive protection.
The lessons are clear for any organization. Address known vulnerabilities—common threats like SQL injections must be defended against. Monitor actively—security must be watched in real time, not set and forgotten. These fundamental failures are not unique; similar lapses in basic security were at the heart of the recent major breach at ride-hailing giant Cabify, which compromised hundreds of thousands of driver records. Reducing how you grant access permissions, like ‘least privilege’ principles, helps minimize the extent of damage should a breach occur.
As for parents and sports clubs, this breach serves as a reminder to always enquire from software providers about what measures they have in place to protect the private information entrusted to them by users.
