Sportadmin Fined SEK 6 Million for GDPR Data Leak

IMY News (Sweden DPA)

Filed January 28th, 2026

Detected February 11th, 2026

Summary

The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 6 million against Sportadmin for violations of the General Data Protection Regulation (GDPR). This action follows an IT attack in January 2025 where personal data of over 2.1 million individuals, including sensitive health data and information on children, was leaked onto the Darknet. IMY determined that Sportadmin failed to implement an appropriate level of technical and organizational security measures, despite being aware of system weaknesses and elevated risks, and lacked adequate intrusion detection capabilities.

This enforcement action highlights the critical need for robust data security practices under GDPR. Regulated entities, particularly those processing sensitive personal data or data of minors, must ensure their security measures are adequate and actively monitored. While no specific compliance deadline is mentioned for Sportadmin's remediation, the SEK 6 million fine underscores the significant financial penalties for non-compliance with GDPR security requirements. Companies should review their cybersecurity protocols, risk assessments, and intrusion detection systems to prevent similar breaches and avoid substantial fines.

What to do next

Review and enhance technical and organizational security measures for personal data processing.
Implement or improve intrusion detection and real-time monitoring systems.
Conduct thorough risk assessments and address identified security weaknesses promptly.

Penalties

SEK 6 million administrative fine

Source document (simplified)

Listen

Administrative fine against Sportadmin

Published: 28 January 2026 The Swedish Authority for Privacy Protection (IMY) has supervised the company Sportadmin following an IT attack in which a large volume of personal data was leaked. The review shows that Sportadmin did not have an appropriate level of security to protect the personal data the company processed. IMY therefore decides to impose an administrative fine of SEK 6 million. The case was initiated following a cyber attack that occurred against Sportadmin in January 2025. The attacker gained access to data relating to more than 2.1 million individuals and subsequently published it on the Darknet. The data mainly concerned children and young people, including names and contact details, personal identity numbers, and information about which sport and sports club the individuals were associated with. The leaked data also included sensitive health data and, to some extent, data about persons with protected identity (meaning that their personal data is confidential).

“Cyber attacks and data breaches can never be entirely ruled out, but there is an obligation to maintain a level of security that is appropriate to the personal data being processed. Sportadmin did not do so, and there was a degree of passivity in addressing known risks,” says Eric Leijonram, Director General of IMY.

IMY’s supervision identified both technical and organisational deficiencies. For a long time prior to the attack, Sportadmin was aware of certain weaknesses in its systems and of areas with elevated risks of attack. The company worked to address these issues but is deemed not to have done enough. Sportadmin also lacked the routines required to detect deficiencies in existing security measures and did not have a system in place to detect intrusions and attempted intrusions in real time. Had such measures been in place, Sportadmin would have been better positioned to prevent the incident or, at the very least, limit the damage.

When parents enter information about their children into a system, they should be able to feel confident that appropriate security measures are in place. In this case, Sportadmin has violated the requirements of the GDPR, which led to the leakage of data concerning a large part of Sweden’s population,” says Eric Leijonram.

IMY finds that Sportadmin has violated Article 32 of the General Data Protection Regulation (GDPR) and therefore imposes an administrative fine of SEK 6 million.