Dinamo warned members about fake messages after a security incident: cards and passwords, according to the club, were not compromised
GNK Dinamo published an updated notice on 3 June 2026 about a security incident connected to the data of some members and stated that, according to the information currently available, the incident did not directly affect the club's official websites. The club states that card data and passwords were not compromised, but confirms that the incident included limited categories of personal data belonging to some members. Among the data mentioned are first name, last name, OIB, contact details and other data if an individual member personally left them in the system. From Maksimir, they say that after receiving the notification about a possible incident, they launched an internal investigation, engaged external independent security and other experts, and began further strengthening data protection.
The updated notice came a day after the club first informed members that it had received information about a possible security incident. In that first announcement, Dinamo stated that the exact scope of the event, the categories of data potentially affected and the number of members to whom the incident may relate were being determined. In the new notice, the club provides more details, but still uses wording indicating that the investigation and assessment of the consequences have not been fully completed. According to GNK Dinamo's announcement, affected members will also be notified by e-mail, and for questions about data or possible concerns, the club refers them to the data protection officer.
What the club has officially confirmed so far
According to GNK Dinamo's updated notice, after receiving information about a possible incident, the club launched an internal investigation and engaged external experts to establish the circumstances of the event. Dinamo states that, according to the information currently available, the incident did not occur directly on its websites. The club also points out that the scope of the incident is limited and that, according to the information it has from the processor, there is no danger of other incidents of the same kind. Such wording means that the club is basing part of the information on data received from a third party involved in data processing, and not only on its own internal review.
The most important message for members concerns the types of data that the club claims were not affected. Dinamo explicitly announced that card data and password data were not compromised. This is important because payment data and access passwords in similar incidents can create room for direct financial damage or unauthorized entry into user accounts. The club, however, does not claim that the incident did not affect any personal data. On the contrary, in the notice it states that limited categories of personal data were included, which differ depending on the member.
The official announcement mentions first name, last name, OIB, contact and other data that the member may have personally left in the system. Dinamo emphasizes that the listed categories did not affect all members. This means that the scope is not described as a single set of data for the entire database, but as an incident that may have different consequences for different people. That is why it is important that notices that members may receive by e-mail are read carefully, but also that it is checked whether they were truly sent from a credible club address.
Why personal data such as OIB and contact details require caution
Although Dinamo states that passwords and card data were not compromised, data such as first name, last name, OIB, e-mail address, telephone number or other contact information can be sensitive. The OIB is a unique identification number and, in combination with other data, can be misused in attempts at fraud, impersonation or targeted messages that appear more convincing than ordinary spam. Contact details alone do not mean that financial damage has occurred, but they can make it easier for attackers to convince people that they are communicating with a known organization. That is why the warning about fake messages is not only about IT hygiene, but also about the real risk of subsequent attempts to exploit available data.
In the notice, the club directly warns members to watch out for suspicious and fake e-mails, to protect their passwords, change them regularly and pay attention to their complexity. Such a recommendation is particularly important if users use the same password on several different online services. Although Dinamo states that passwords were not affected by this incident, changing a password can be a reasonable precaution if it is old, weak or reused. It is even more important not to enter a password, card data or other personal data on pages reached through links from suspicious messages.
According to explanations from the National CERT, phishing is based on manipulating users with the aim of collecting confidential data, including usernames, passwords and credit card data. The police also describe phishing as online identity theft in which fake e-mails try to persuade users to share personal, financial or security data. In practice, this means that after such an incident, messages may appear that falsely present themselves as club notifications, requests to confirm data, calls to change passwords or notices about alleged problems with membership. The key warning signs are an unusual sender address, pressure to react urgently, grammatical errors, unexpected attachments and links that do not lead to the official domain.
Obligations under personal data protection rules
The incident must also be viewed through the framework of the General Data Protection Regulation, known as the GDPR, because it concerns a possible impact on the personal data of natural persons. According to information from the Croatian Personal Data Protection Agency, the controller is obliged, without undue delay and, where feasible, no later than 72 hours after becoming aware of a breach, to notify the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The GDPR further prescribes that individuals are notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms. The assessment of such risk depends on the type of data, the scope of the incident, the possibility of misuse and the measures taken after discovery.
In its official notices, Dinamo states that the club's priorities are the protection of members, transparent public information and the taking of necessary measures in accordance with personal data protection regulations. In the announcement, the club did not state all the technical details of the incident, which is common in the early stage of security checks because publicly disclosing too many details can make the investigation more difficult or create room for additional misuse. At the same time, for people whose data may have been included, it is important to receive sufficiently clear information about which data were affected, what the risk is and what steps they should take. That is precisely why the announced individual notification of affected members by e-mail is a significant part of the further procedure.
In such cases, the decisive issue is not only whether the system was technically attacked, but also whether there was unauthorized access, disclosure or loss of control over personal data. Dinamo claims that the incident did not occur directly on the club's websites, but at the same time confirms that certain categories of data belonging to some members were included. This points to the possibility that the incident is connected with the processing or storage of data in a broader digital environment, including external service providers, although the club has not published details that would allow a firm conclusion about the technical cause. Until the investigation is completed, it is most precise to speak of a security incident of limited scope, as described by the club itself.
Media claims and officially confirmed information should be distinguished
Before Dinamo's updated notice, media reports appeared in public about claims that some data had allegedly been offered or mentioned in an environment connected with the dark web. Tportal, for example, reported allegations that a post mentioned a compromised database and a hacker group presenting itself as INF Group. Such information should be treated cautiously because it is based on alleged claims by third parties and is not the same as official confirmation by the club or the competent authority. In the official notice, Dinamo did not name the alleged perpetrators, did not confirm the number of affected records and did not announce that card data or passwords had been compromised.
Distinguishing officially confirmed information from claims circulating on the internet is important to avoid panic, but also to protect members from additional fraud. In cyber incidents, attackers or people presenting themselves as attackers often use public attention to increase pressure on the organization or encourage users to react hastily. For this reason, the most reliable approach is to rely on official club announcements, notices from competent authorities and verified security recommendations. If a member receives a message referring to the incident and asking them to enter a password, card data or OIB through a link, such a request should be considered suspicious until it is verified directly through official channels.
In the first notice dated 2 June, Dinamo stated that it would inform members and the public without delay as soon as confirmed information about the scope of the incident and any affected categories of data became available. The updated notice dated 3 June is a continuation of that process, but it does not necessarily have to be the last piece of information about the event. If the investigation establishes new facts, the club, according to its own announcements and personal data protection rules, should continue notifying those to whom the incident relates. For the public, it is crucial that every new claim be clearly separated from what has already been confirmed.
What members can do immediately
Members who used digital services connected with the club should first follow GNK Dinamo's official announcements and pay attention to any individual notice that may arrive by e-mail. Such a message should be checked carefully: the sender must be credible, links should not be opened automatically, and requests to enter a password, card data or additional personal data should trigger special caution. It is safer to manually open the club's official website or contact the data protection officer at the address stated by the club in its notice. If the message looks suspicious, one should not reply to it or open attachments.
It is advisable to change the password for the user account if an old or weak password is being used, especially if the same password has been used on other services. A good password should be long, unique and hard to guess, and where possible, multi-factor authentication should be enabled. If a user receives a message requesting urgent payment, card confirmation or re-entry of personal data, the request should be checked through another channel before any action is taken. CERT and the police, in their general recommendations, warn that the aim of phishing messages is to induce the user to hand over data or click on a malicious link, so calm verification is the best protection.
Caution is also needed in the coming weeks, because fraud attempts do not have to appear immediately after the incident. If someone's contact details were affected, fake messages may appear later and may refer to membership, tickets, benefits, prize games or an alleged security check. Sharing photos of personal documents, card data or one-time codes for transaction confirmation should be especially avoided. In case of suspicion of misuse of financial data, the bank should be contacted immediately, and in case of fraud or attempted fraud, the police and relevant cybersecurity services may be notified.
Digital trust is becoming part of the responsibility of sports organizations
The security incident at Dinamo shows how much sports clubs have become digital organizations. Memberships, tickets, online shops, newsletters, applications and communication with fans rely on databases and external technological systems. Such a model brings faster communication and simpler services, but also increases responsibility for the protection of personal data. In public, sports organizations are often viewed through results, transfers and matches, but their digital infrastructure is an increasingly important part of the trust between the club and its members.
For Dinamo, the further course of the case will depend on the results of the investigation, possible additional notices and measures that the club will implement to reduce the risk of similar events recurring. The club has already announced that actions are being taken to further strengthen the security of all data, but it has not stated in detail which technical and organizational measures will be implemented. At this stage, the most important thing is that members do not panic, but act cautiously, especially toward messages that request a quick reaction or the entry of sensitive data. According to the available official information as of 04 June 2026, it has been confirmed that the incident has a limited scope, that notification of affected members is continuing and that the club claims card data and passwords were not compromised.
Sources:
- GNK Dinamo – updated official notice about the security incident and the categories of data that may have been included (link)
- GNK Dinamo – first notice to members about a possible security incident and the launch of an internal procedure (link)
- Croatian Personal Data Protection Agency – information on reporting a personal data breach and the 72-hour deadline (link)
- EUR-Lex – text of the General Data Protection Regulation, including rules on personal data breaches (link)
- National CERT – explanation of phishing and the way confidential data are attempted to be collected (link)
- Police Directorate – explanations about internet fraud and phishing messages (link)
- Tportal – media report about allegations that preceded the club's official notices (link)