What happened
The SportAdmin data leak case resulted in a €565,000 administrative fine after hackers accessed the company’s IT systems in January 2025 via an SQL injection attack. The intrusion allowed attackers to interfere with database queries by injecting malicious SQL code into input fields, leading to exposure of personal data for more than 2.1 million people—most of them children. The exposed dataset included names, contact details, Social Security numbers, guardian and family relationship information, sports club affiliations, and health-related details such as allergies and disabilities. The sensitive data was later published on the dark web in March 2025. IMY (Sweden’s data protection and privacy authority) investigated and concluded SportAdmin failed to implement appropriate security measures required under GDPR Article 32, citing insufficient protection against SQL injection, excessive user permissions, weak code review routines in complex/legacy code, and monitoring that failed to detect the intrusion in real time.
Who is affected
Sports clubs using SportAdmin and the individuals whose data was stored in the platform—especially children and guardians—are directly affected. Exposure is direct because identifiable and sensitive records were accessed and later published, with potential downstream impacts for affiliated clubs.
Why CISOs should care
SQL injection remains a high-impact, preventable class of vulnerability that can produce large-scale regulated data exposure, especially where children’s data and health-related fields are involved. Regulatory scrutiny and fines, combined with reputational damage and victim notification obligations, can be severe when basic secure SDLC and monitoring controls fail.
3 practical actions
- Eliminate SQL injection risk paths: Implement parameterized queries, robust input validation, and WAF rules tuned for injection attempts across all internet-facing applications.
- Reduce blast radius with least privilege: Tighten database and application permissions so a single compromised path cannot access broad user datasets or sensitive fields.
- Strengthen detection and code assurance: Expand code review coverage for legacy modules and implement real-time monitoring/alerting for anomalous database query patterns.