Attack took place between 19th and 24th February 2025.
Leeds United has confirmed that it suffered a cyber-attack in February, which saw some card details compromised.
In a statement, Leeds said the attack took place between 19th and 24th February 2025. The attack targeted its retail website, “resulting in the card details of a small number of customers being compromised.”
The club said it has communicated with all of those directly impacted and a forensic investigation was undertaken by a specialist third-party as soon the club discovered the breach, and measures were implemented to stop and recover from the attack.
“The club is disappointed that the attack was successful despite layers of cybersecurity, and offer our sincere apologies to anyone who has been adversely affected,” it said.
Commenting, Jake Moore, global cybersecurity advisor at ESET, said these types of attacks are able to penetrate a website and take copies of all payments with ease whilst hiding undercover.
“In a short space of time, cyber-criminals would have been able to swipe card payment details from all transactions from within the time frame affecting all customers from that time,” he said. “Although this digital heist can often go under the radar, it highlights the importance of robust protection, due diligence by all websites handling user’s financial data and for website admins to monitor any anomalies, however small.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
