Swedish Privacy Watchdog Fines Sportadmin After Data Breach Exposes Millions

Key Takeaways

• Regulator Imposes Fine: Sweden’s privacy watchdog fined Sportadmin $560,000 (SEK 6 million) for failing to implement adequate IT security measures under GDPR.
• Children’s Data Massively Exposed: The January 2025 cyberattack led to the exposure of personal data on more than 2.1 million individuals, primarily children and young people involved in sports clubs.
• Known Weaknesses Left Unresolved: Investigators found Sportadmin was aware of security vulnerabilities and elevated risks well before the breach but did not take sufficient action.
• No Real-Time Intrusion Detection: The absence of systems to detect intrusions or attempted intrusions in real time limited Sportadmin’s ability to prevent or contain the attack.
• GDPR Article 32 Breach Confirmed: The Swedish Data Protection Authority concluded that Sportadmin violated GDPR requirements by failing to align security controls with the sensitivity and scale of the data it processed.

Deep Dive

Sweden’s privacy regulator has fined Sportadmin roughly $560,000 (SEK 6 million) after concluding that the company failed to implement adequate IT security measures ahead of a major cyberattack that exposed personal data on more than 2.1 million people.

The sanction follows an investigation by the Swedish Data Protection Authority, known as the IMY, into a January 2025 intrusion in which attackers gained access to vast amounts of personal information and later published it on the Darknet. Much of the compromised data related to children and young people involved in sports clubs across Sweden.

According to IMY, the leaked information included names, contact details, personal identity numbers, and details linking individuals to specific sports and clubs. In some cases, the breach also exposed sensitive health data and protected personal information.

While IMY acknowledged that cyberattacks cannot always be prevented, it said Sportadmin failed to meet its obligations under data protection law by not aligning its security controls with the risks associated with the volume and sensitivity of the data it processed.

“IT attacks and data leaks can never be completely ruled out, but you are obliged to have a level of security adapted to the personal data you handle,” said Eric Leijonram, Director General at IMY. “Sportadmin has not had this, and there has been a passivity in managing known risks.”

The authority’s review identified both technical and organizational shortcomings. IMY found that Sportadmin had long been aware of weaknesses in its systems and of areas with elevated risk of attack. Although the company had taken some steps to address these issues, the regulator concluded that those efforts fell short.

Crucially, IMY said Sportadmin lacked procedures to systematically detect deficiencies in existing security measures and did not have real-time monitoring in place to identify intrusions or attempted intrusions. Had such controls existed, the company may have been able to prevent the breach or at least limit its impact.

Leijonram stressed the expectations placed on organizations that handle children’s data. “When you, as a parent, enter information about your child into a system, you should be able to feel confident that appropriate security measures are in place,” he said. “In this case, Sportadmin violated the requirements of the GDPR, which led to the exposure of information relating to a large part of Sweden’s population.”

IMY ultimately decided that Sportadmin had breached Article 32 of the General Data Protection Regulation (GDPR), which requires organizations to implement appropriate technical and organizational measures to ensure the security of personal data. The authority imposed a sanction fee of $560,000 (SEK 6 million) as a result.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.