The Football Association of Ireland (FAI) has confirmed it suffered a security breach of its payroll systems, which was discovered last month, saying no staff data had been compromised.
It was previously feared that hackers could have stolen bank details for leading FAI employees and officials, like Ireland manager Mick McCarthy, and staff were told to monitor their bank accounts for unusual activity – but it looks like cyber-crooks failed to exfiltrate their bounty.
The FAI confirmed that at the source of the recent hacking attempt was a malware infection that was targeting payroll systems at its Abbotstown headquarters and was discovered over the June Bank Holiday.
Own goal for Leicester City FC after fan credit card details snatched in merch store hackREAD MORE
The organisation previously told the Irish Independent that these systems stored names, salaries, contact details, bank account details and Personal Public Service numbers of staff.
"Upon becoming aware of the incident, the FAI immediately engaged external computer forensic experts to assist with investigating the incident," the org said in a statement issued on Wednesday to all current and former staff.
"These investigations found malware on a payroll server but the FAI have assured staff, and former staff, today that there is no evidence of any of their data being extracted from the server."
In the latest statement, the football body noted that all payment data was actually stored off-site, and details relating to ticket sales were handled by a third party, and were thus not affected. Nor was the FAInet system that handles player registration details, introduced in 2016, it said.
"The FAI have treated this matter very seriously and are focused on closing out this incident and preventing any further security incidents," the org added.
The episode can serve as a great example of how to comply with GDPR: the FAI got in touch with the Irish Office of the Data Protection Commission as soon as the breach was discovered – even though there was a chance it could turn into a huge PR disaster. It also informed the police service.
"The Office of the Data Protection Commission has been notified of the incident as well as our efforts to ensure that no data subjects were adversely impacted," the FAI said. ®