The Royal Spanish Golf Federation has communicated a security breach affecting data of its members after detecting unauthorized access to one of its information systems. The incident was located on March 24, after the access occurred between the 20th and 23rd of that same month.
The entity specifies that the compromised information corresponds to data from the registration forms and includes personal, identification, contact, location, and banking data, although without affecting payment methods. The origin of the incident was in a vulnerability within that system.
Single-person access and notification to the supervisory authority
The federation maintains that the access was carried out by a single person, who also collaborated in the correction of the detected vulnerability. It also assures that, with the information available so far, there are no indications that those data have been copied, disseminated, used for other purposes or communicated to third parties.
"We have no record that this breach has had a negative impact" - Royal Spanish Golf Federation
The breach has already been notified to the Spanish Data Protection Agency. In its communication, the RFEG maintains that, for the moment, it does not consider it probable that harm will materialize for the rights and freedoms of those affected.
Recommendation of vigilance against possible suspicious movements
Despite that initial analysis, the federation has recommended to the federated members that they exercise extreme caution regarding any communication or movement that turns out to be suspicious. The warning is especially directed at messages or contacts that may try to gather personal information taking advantage of the incident.
Along those lines, the entity emphasizes that it will not request data via email, SMS, messaging services, or by telephone. Any contact of that type should be quarantined by those affected.
Strengthening of security measures
After detecting the incident, the RFEG has applied measures to correct the vulnerability and has reinforced its security protocols. In addition, it maintains the monitoring of accesses to its applications and web portals to follow the evolution of the case and prevent new episodes.
The internal investigation remains open with the focus on verifying the real scope of the access and on confirming that there has been no subsequent misuse of the compromised information.