Dinamo: the security incident did not directly affect the club's websites, cards and passwords were not compromised
GNK Dinamo published an updated notice on June 3, 2026, about the security incident after claims had appeared a day earlier about a possible data leak connected with club members. According to the club's announcement, the information currently available indicates that the incident did not take place directly on GNK Dinamo's websites. The club states that bank card data and passwords were not affected, but confirms that the incident included limited categories of personal data of some members. Dinamo said that the affected persons would not be notified only through a public announcement, but also individually, by e-mail, if the incident concerns their data. In the same statement, the club calls for caution because of possible fake messages, especially in the period after public information about the security event.
The club engaged external experts
According to GNK Dinamo's updated notice, after receiving information about a possible security incident, an internal investigation was launched, and external, independent security and other experts were included in the process. The club states that the aim of the investigation is to determine the circumstances of the incident, its scope and the possible consequences for members whose data are located in the systems used by Dinamo. In the announcement, Dinamo also referred to information obtained from the processor, with the claim that, according to that information, there is no danger of other incidents of the same kind. Such wording indicates that the role of external systems or partners that process certain data on behalf of the club is also being checked, but the publicly available notice does not provide a detailed technical description of the attack. The club additionally said that actions are being taken to strengthen the security of all data, without specifying concrete technical measures.
Dinamo points out that, according to the information so far, the incident did not include all members nor the same categories of data for every person. The club stated that among the potentially affected categories there may be first name, surname, OIB, contact details and other data if an individual member left them in the system. Such a difference is important because the risk for an individual does not depend only on whether a system was affected, but also on what type of data was available, how much data is linked to the same person and whether that combination can be used for fraud or identity theft. Dinamo therefore announces individual notification of those to whom the incident relates. For questions and concerns related to data, the club listed in the notice the contact of its data protection officer, the address dpo@gnkdinamo.hr.
What was not affected according to the club's announcement
The most important message from Dinamo's updated notice concerns financial and access data. The club explicitly states that card data and password data were not affected. This information significantly reduces part of the immediate risk that would exist in the event of compromise of card numbers, security codes or credentials for access to user accounts. Still, that does not mean that personal data that may have been included in the incident cannot be misused. First name and surname, OIB, e-mail address, telephone number or residential address can be used for more convincing fake messages, attempts at social engineering, impersonation or combination with data from other sources.
According to earlier media reports, the news about a possible hacker attack spread on June 2, 2026, when claims were published that the data of Dinamo members had been compromised. In the context of those claims, Index wrote that approximately 50 thousand records, or 52,009 unique records, were mentioned in posts connected with the attack, and that a group presenting itself as a Serbian hacker group was mentioned as the alleged perpetrators of the attack. Those claims have not been fully confirmed by Dinamo's notice. In the updated statement, the club confirmed the limited scope of the incident and certain categories of personal data, but did not publish the final number of affected members or technical details about the source of the incident. For that reason, at this moment it is most precise to speak of a security incident of limited scope, with the note that the details are still based on available, not final, information.
Why members have been specifically warned about fake messages
In its announcement, Dinamo advised members to be cautious because of suspicious and fake e-mails, to change passwords regularly and to use sufficiently complex passwords. Such a warning is common after incidents in which contact details may have been affected, because attackers do not have to have a password or card data in order to attempt fraud. It is enough for them to have credible personal data in order to make the message more convincing. For example, a fake message may look like a club notification, a request to confirm membership, an alleged check of a user account, a refund, payment of a membership fee or an update of card data. If such a message is sent to a person whose basic data are known, the probability that the recipient will react without additional verification may be higher.
The Croatian Personal Data Protection Agency, in its advice on phishing attacks, warns that suspicious messages should not have links opened and personal or card data should not be entered if an action is requested that looks unusual. The Police Directorate states in preventive materials about internet fraud that fraudsters use fake e-mail messages, SMS messages or telephone calls to try to induce citizens to share personal, financial or security data. In the context of Dinamo's notice, this means that special attention should be paid to the sender, the link address, grammatical errors, unusual requests for urgent payment and every request to enter a password or card on a page reached from a message. If a message raises suspicion, it is safer to open the club's official website manually or contact the official contact, instead of clicking on a link from an e-mail.
The broader legal framework: when AZOP and data subjects are notified
Security incidents that include personal data in the European Union are assessed within the framework of the General Data Protection Regulation, known as the GDPR. AZOP states that, in the event of a personal data breach, the controller must without undue delay, and where feasible no later than 72 hours after becoming aware of the breach, inform the Croatian Personal Data Protection Agency if the breach is likely to result in a risk to the rights and freedoms of individuals. AZOP also states that, if the breach is likely to result in a high risk to data subjects, the controller must without undue delay also notify the persons to whom the data relate, in clear and simple language. The obligations in a concrete case depend on the risk assessment, the nature of the affected data, the number of persons, possible consequences and protective measures that were applied.
AZOP emphasizes in its instructions that not every security incident is at the same time a personal data breach, but every incident that includes personal data should be assessed without delay. A personal data breach, according to AZOP, may relate to the confidentiality, availability or integrity of data, for example in cases of unauthorized access, loss of a device, sending data to the wrong recipient or a ransomware attack. In Dinamo's case, the club publicly speaks about a possible security incident, limited categories of personal data and individual notification of members to whom the incident relates. The available public notice does not indicate the final legal qualification of the incident nor details about any notifications to the regulator, so only what the club directly stated can be concluded: an investigation has been launched, experts have been engaged, and the public and affected members should be informed about the relevant facts.
The role of the processor and the importance of transparency
Dinamo's notice mentions information obtained from the processor. AZOP states in its explanations that the controller is the person or organization that determines the purposes and means of processing personal data, while the processor is the entity that processes personal data on behalf of the controller. In practice, this means that organizations often use external systems for sales, membership, communication, billing, support or user account management. Such a model is not unusual, but it requires contractual regulation of obligations and appropriate technical and organizational protection measures. Precisely for that reason, in incidents of this type it is important to determine exactly where the incident originated, who had access to the data, which data were available and which measures should be taken so that a similar event does not happen again.
According to the official privacy policy published on Dinamo's website, the club is listed as the controller, with the address Maksimirska 128 in Zagreb and the OIB 93376857458. In the same document, Dinamo states that it collects personal data through websites, forms, applications and product sales, and that the data that may be collected in different scenarios include first name, surname, date of birth, e-mail, home or delivery address and telephone number. These data are common in membership and online sales systems, but at the same time they show why the protection of such systems must be a continuous process and not a one-time technical measure. For the public, in cases like this, it is crucial that notices are clear enough for affected persons to understand their own risk and decide which steps they should take.
What members can do immediately
Although Dinamo states that passwords and card data were not compromised, members who have received a notice or fear that they could be affected by the incident can take several proportionate precautionary measures. The first is checking all messages that allegedly come from the club, especially if they request urgent action, entry of a password, entry of card data or confirmation of personal data through a link. The second is changing the password on a user account if the same or similar password also exists on other services, because password reuse is considered one of the most common security risks. The third is monitoring attempts at unusual contact by e-mail, SMS or telephone, especially if the caller refers to membership, ticket purchases or an alleged security procedure. The fourth is avoiding the sending of personal documents or the OIB through unverified channels.
- Check the sender's address and do not rely only on the displayed sender name.
- Do not open links from messages that request entry of a password, card or additional personal data.
- If you need to check an account or membership, open the official website by manually entering the address in the browser.
- Change your password if you used the same password on several services, and avoid simple combinations.
- Compare suspicious messages with the club's official announcements or send an inquiry to the data protection officer.
These measures do not mean that every member is exposed to a direct threat, but represent reasonable caution after an incident in which, according to the club, certain categories of personal data may have been affected. It is especially important to distinguish an official notice from messages that try to exploit public attention. After announcements about security incidents, fake messages often appear that rely on a real event in order to seem convincing. If a message requests an urgent payment, entry of a card, sending a copy of a document or confirmation of a password, such a request should be considered suspicious until it is checked through an official channel. Dinamo placed special emphasis on exactly such caution in its notice.
What is still unknown
At this moment, the final number of persons to whom the incident relates has not been publicly announced. Dinamo stated that categories of personal data are not included in relation to all members and that notification of those affected will also be carried out by e-mail. A detailed technical description of the incident has not been published either, which is common practice while an investigation is ongoing, because premature disclosure of technical details can make verification, remediation or cooperation with competent authorities more difficult. It has also not been officially confirmed to what extent media claims about the number of records and alleged perpetrators are accurate. For now, what the club stated has been confirmed: according to the currently available information, the incident did not directly affect GNK Dinamo's websites, did not compromise cards or passwords, but did include limited categories of personal data of some members.
For members and the public, the club's next steps will be the most important. This includes individual notices to affected persons, additional explanations about categories of data, continued strengthening of security measures and possible new information if confirmed by the investigation. In cases involving personal data, timely and clear communication is not only a reputational issue, but also an important part of reducing the risk for persons whose data may have been affected. The more concrete the notices are, the easier it is for individuals to assess whether they should change passwords, monitor possible fraud, contact the data protection officer or request additional information. In its current notice, Dinamo says that its priority is the protection of members' data, transparent informing of the public and taking measures in accordance with personal data protection regulations.
Sources:
- GNK Dinamo / X – the club's official updated notice on the security incident and recommendations to members (link)
- Index Sport – report on Dinamo's updated statement and the context of earlier claims about the incident (link)
- Index Sport – Dinamo's earlier statement of June 2, 2026, about a possible security incident (link)
- Sportske novosti / Jutarnji list – additional media check of Dinamo's announcement and summary of established information (link)
- GNK Dinamo – privacy rules, data on the controller and categories of data processed by the club (link)
- Croatian Personal Data Protection Agency – instructions on reporting personal data breaches and obligations under the GDPR (link)
- Croatian Personal Data Protection Agency – advice for recognizing phishing attacks and protecting personal data (link)
- Police Directorate – preventive information about internet fraud, phishing, smishing and identity theft (link)