AiLock exfilters 129 GB of England Hockey data and threatens to publish them

England Hockey officials have launched an investigation after they appear on a leaking site of the Ransomware group AiLock, which claims to have exfiltered Federation data. According to the group's publication, the attackers were reportedly made with around 129 GB of information and threaten to post the files unless a ransom is paid. The organization, which is responsible for the management and promotion of grass hockey throughout the country, recognizes the situation and is addressing the issue with the highest priority.

In its public response, England Hockey has reported that it is working with external experts and involving the competent authorities as it reports exactly what has happened. For the time being, it does not provide specific details on the nature of the data that might be affected, nor does it independently confirm the extent of the access identified by the group. The news was collected by means specialized in security such as BleepingComputer, which quotes the organization itself and the actor's list on its leaks portal.

The potential scope of the incident concerns both the volume of information and the portfolio of individuals and entities linked to England Hockey: the federation brings together more than 800 clubs, about 150,000 registered players and about 15,000 coaches, arbitrators and officers. This is why, if a data leak is confirmed, the impact can be extended from fans and base practitioners to elite-level templates and equipment.

AiLock is a relatively recent actor in the ansomware ecosystem, but it has already attracted the attention of researchers. In early April 2025, analysts from the Zscaler company described the group as an operator using sophisticated extortion tactics and taking advantage of privacy violations as a lever in the negotiations with the victims; their report is part of a broader analysis of emerging threats ( see analysis of Zscaler).

Technical details published by independent researchers also help to understand the modus operandi: according to an analysis published in Medium by a S2W Talon researcher, the AiLock cipher uses algorithms such as ChaCha20 and NTRUEncrypt to block files, adds the .AILock extension to encrypted files and leaves rescue notes in the affected folders. This combination places this family of ransomware within modern variants that seek to make recovery difficult without decryption keys ( technical analysis in Spain).

In addition to encryption, AiLock and related groups practice the so-called "double extortion": they first exfilter data and then demand a payment for not publishing the committed information. In many cases, attackers set short deadlines to start negotiations and threats of public filtration if an agreement is not reached - a tactic designed to press and force rapid decisions. This strategy exacerbates the reputational and legal risk to the organizations attacked.

For people linked to England Hockey - players, coaches, officers and club members - the immediate recommendation is to increase prudence against unexpected communications. It is common that, following such incidents, criminals attempt to take advantage of stolen data in phishing campaigns or fraud attempts. Change passwords, activate the authentication of two factors where it is available and distrust emails or messages that ask for credentials or payments are sensible measures at this time.

Organizations should also follow established protocols for cyber incidents: contain intrusion, preserve evidence for researchers, notify the competent authorities and assess whether there is a legal obligation to inform data protection regulators. In the United Kingdom, the Office of the Information Commissioner (ICO) provides guidelines on reporting of gaps and obligations of entities dealing with personal data ( ICO guide). The National Cyber Security Centre (NCSC) also provides practical recommendations to mitigate and respond to Ransomware incidents and phishing campaigns ( NCSC instructions).

It is important to remember that paying a rescue does not guarantee full recovery or the removal of the threat: in addition to financing the attackers, payment does not always result in the safe return of the data or prevents subsequent publication. This is why the response teams provide for both technical recovery options and legal and communication evaluation, to protect the affected and reduce reputational damage.

In the future, incidents such as this stress the need for continued security investments by sports federations and civil society organizations, which store sensitive personal information but often have limited resources for technological protection. The implementation of minimum access policies, robust and verified backup, phishing training for staff and members, and regular security assessments can make the difference between a scare and a prolonged crisis.

As the investigation progresses, England Hockey has requested time to work with external specialists and authorities, and promises to keep the community informed as more verifiable information becomes available. For those looking for guidance on how to protect themselves or how to respond to possible attempts at supplanting, the NCSC maintains resources on how to identify fraudulent emails and act safely ( NCSC phishing tips).

This episode is a reminder that cybersecurity is not just a business issue: sports and community organizations are also objective. Transparency, collaboration with experts and practical protection measures will be key to limiting damage and restoring the confidence of players and clubs.