RansomHub claims to net data hat-trick against Bologna FC

Italian professional football club Bologna FC is allegedly a recent victim of the RansomHub cybercrime gang, according to the group's dark web postings.

The ransomware crims responsible for attacks on organizations including Planned Parenthood and Christie's – the same crew thought to have picked up LockBit's top talent post-disruption – posted an extensive collection of data it claims came from Bologna's systems.

Among the samples of allegedly stolen data is a document that purports to be manager Vincenzo Italiano's employment contract, which includes details such as his €4.575 million annual remuneration for this season and the next, plus a potential €455,000 bonus for winning the Italian Serie A league.

Details of professional football contracts are often kept secret, but are widely speculated regardless. However, the length of the contracts is usually disclosed to the public. Italiano joined Bologna in June on a two-year contract, and while the details of his salary are speculated between €500,000 and €2.5 million per year depending on where you look, the length of the contract allegedly leaked is consistent with public reporting.

Scattered around other documents the criminals claim to be genuine are Italiano's tax ID code and bank account number.

Elsewhere, former assistant manager Emilio De Leo's alleged passport scan is included in the sample, and the directory tree of stolen files suggests RansomHub also has the passports, contracts, and personal data for the club's first-team players dating back to at least 2017.

Additionally, spreadsheets are plastered across the crooks' data leak site (DLS) appearing to show breakdowns of club financials, including the annual revenue taken from various sponsorships and the expected and owed money to other professional clubs in the league.

"Bologna FC was hacked due to lack of security on their network. All confidential data has been stolen," RansomHub said on its DLS. "Bologna FC does not have any data protection on its network which is why absolutely all their data was stolen."

RansomHub claimed to have stolen medical data too, as well as information on young players, commercial strategies, and business plans.

As ever with these things, the claims made by criminals should always be viewed with skepticism. They benefit from stoking negative publicity around the victim, regardless of how true their claims may be, and given that they're already serious criminals, likely don't have much consideration for libel law.

The Register contacted the club on Wednesday to verify the veracity of RansomHub's claims, but after more than 24 hours and multiple follow-ups, the club had not responded.

• Scattered Spider, BlackCat claw their way back from criminal underground
• RansomHub genius tries to put the squeeze on Delaware Libraries
• Deja blues... LockBit boasts once again of ransoming IRS-authorized eFile.com
• Rhysida ransomware gang ships off Port of Seattle data for $6M

Emails to Bologna's publicly available legal team address bounced back, and neither the Serie A league nor Italy's national cybersecurity agency (NCC-IT) immediately responded.

However, a statement from the club on Friday confirmed ransomware: "Bologna Football Club 1909 S.p.a. announces that its security systems have recently been targeted by a ransomware cyberattack, affecting a cloud server and the internal perimeter. This criminal act has resulted in the theft of corporate data, which may be subject to publication. Anyone who comes into possession of such data is hereby warned against disseminating, sharing, or making any other use of it, as it originates from an illegal act."

Consistent with ransomware gangs' usual methods of operating, Bologna was given a three-day window to meet undisclosed demands.

RansomHub's countdown timer indicates that all the club's data will be placed on its DLS at noon (UTC) on November 29 unless their ransom demands – whatever they may be – are met.

The Register contacted RansomHub, but its usual spokesperson wasn't immediately available to answer questions.

Caught offside

We rarely hear about professional football clubs getting their balls kicked in public, but it's not entirely unheard of either.

In the UK, Manchester United famously suffered a cyberattack in 2020 which locked staff out of their email accounts, but there was never any disclosed data breach.

This year, Charlton Athletic was one of the small collection of clubs in England's lower leagues to report similar incidents. The League One side said an attack on its legacy infrastructure was carried out but data remained safe.

Just weeks later, fans of Championship clubs Bristol City and Sheffield Wednesday were sent phishing emails after crooks gained access to the former's systems, reportedly impersonating CFO Vicki Long.

The Dutch national football association (KNVB) confirmed it paid an undisclosed ransom following an attack in 2023, while Real Sociedad and Paris St Germain both reported their own issues since then too. ®