Royal Dutch Football Association confirms it paid ransom for hacked employee data

The governing body for soccer in the Netherlands said this week that it paid a ransom to hackers who breached its systems earlier this year and stole the sensitive data of more than more than 1.2 million employees and members.

The Royal Dutch Football Association (KNVB) didn’t say how large the ransom was, but it confirmed that the prolific LockBit ransomware gang — which took credit for the incident — was indeed behind the attack.

The KNVB, based in Zeist, runs the country’s main professional leagues, the Dutch men's and women's national teams, the Dutch Cup and amateur leagues.

In April KNVB’s leadership had announced the incident, saying the organization’s business operations were not affected but the intruders had obtained personal data. Law enforcement agencies in the Netherlands and the Dutch Data Protection Authority were notified.

That same month, LockBit claimed to have stolen 305 GB of data.

KNVB revealed this week that those potentially affected include:

• The parents or guardians of underage players who were transferred internationally between 2014-2019.
• Players who were transferred internationally between 2015-2021.
• Players who played for a professional football organization between 2016-2018.
• People who sent declarations to the KNVB based on their relationship with the KNVB (in the broadest sense) from 2010 to 2022.
• Anyone who had contact with the KNVB Sports Medical Center.
• Anyone who was involved in disciplinary matters (e.g. a sanction) from 1999-2020.

For most victims, their government ID and signature were stolen but many had names, addresses, salary details and bank account numbers accessed. Medical details and information in disciplinary files were also included in some of the data accessed.

KNVB said the gang threatened to publish the data unless the association paid a ransom. The idea of “preventing such a spread ultimately weighs more heavily” than buckling to extortion attempts, KNVB said. Based on the guidance they were given from cyber forensics firm Fox-IT, they decided to pay the undisclosed ransom.

But out of caution, they wanted to notify anyone affected that their data may have been accessed or exfiltrated from KNVB systems.

Many victims were contacted directly, and the KNVB put ads in local newspapers to notify the public about what happened. But the organization urged victims to check back on the document for updates about the incident.

In an FAQ provided along with the statement, the organization made the controversial claim that it does not expect the information accessed to be “misused or further distributed” based on what experts told them.

“Their experience shows that such cybercriminals honor the agreements they have made,” the organization asserted. Cybersecurity experts say, however, that cybercriminals should not be trusted to honor their promises.

Tuesday’s statement warned victims to be wary of any calls purporting to be from their bank or other financial institutions.

Despite reports of dissension within LockBit, alleged members continue to dominate the hacker landscape with dozens of attacks each month. The gang recently took credit for an attack on a 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal