Administrative fine against Sportadmin
The case was initiated following a cyber attack that occurred against Sportadmin in January 2025. The attacker gained access to data relating to more than 2.1 million individuals and subsequently published it on the Darknet. The data mainly concerned children and young people, including names and contact details, personal identity numbers, and information about which sport and sports club the individuals were associated with. The leaked data also included sensitive health data and, to some extent, data about persons with protected identity (meaning that their personal data is confidential).
“Cyber attacks and data breaches can never be entirely ruled out, but there is an obligation to maintain a level of security that is appropriate to the personal data being processed. Sportadmin did not do so, and there was a degree of passivity in addressing known risks,” says Eric Leijonram, Director General of IMY.
IMY’s supervision identified both technical and organisational deficiencies. For a long time prior to the attack, Sportadmin was aware of certain weaknesses in its systems and of areas with elevated risks of attack. The company worked to address these issues but is deemed not to have done enough. Sportadmin also lacked the routines required to detect deficiencies in existing security measures and did not have a system in place to detect intrusions and attempted intrusions in real time. Had such measures been in place, Sportadmin would have been better positioned to prevent the incident or, at the very least, limit the damage.
When parents enter information about their children into a system, they should be able to feel confident that appropriate security measures are in place. In this case, Sportadmin has violated the requirements of the GDPR, which led to the leakage of data concerning a large part of Sweden’s population,” says Eric Leijonram.
IMY finds that Sportadmin has violated Article 32 of the General Data Protection Regulation (GDPR) and therefore imposes an administrative fine of SEK 6 million.
Contact
Press Office, telephone +46 (0) 8 515 154 15
More news on this topic
-
Administrative fines against two companies in the SL Group
3 July 2025 -
Administrative fine against the Equality Ombudsman when personal data was collected via a web form
12 May 2025 -
The Hospital Board has failed in its security measures when handling e-mail
12 May 2025 -
Administrative fines against Apoteket and Apohem for transferring personal data to Meta
3 July 2025
More news on this topic
-
Administrative fines against two companies in the SL Group
3 July 2025 -
Administrative fine against the Equality Ombudsman when personal data was collected via a web form
12 May 2025 -
The Hospital Board has failed in its security measures when handling e-mail
12 May 2025 -
Administrative fines against Apoteket and Apohem for transferring personal data to Meta
3 July 2025