British Horseracing Authority hit by cyberattack, shuts London office

But Derby weekend races go ahead as planned

Horse racing’s governing body has been hit with a suspected ransomware attack, but the race calendar remains unaffected.

The British Horseracing Authority (BHA), the governing body for horse racing in the UK, has confirmed it was the target of a cyberattack, forcing the temporary closure of its London headquarters and prompting staff to work remotely.

The incident, thought to be a ransomware incident, was first detected late last week.

The BHA said in a statement that an IT security breach was discovered and is under urgent investigation with the assistance of external cybersecurity specialists.

"We recently identified and began investigating an IT incident," a BHA spokesperson confirmed.

"We are working at pace with external specialists to determine what happened in more detail and safely restore our systems. The delivery of race days has continued as normal and will continue to do so. We have informed our colleagues, core industry stakeholders and law enforcement."

Despite the attack, the BHA has stressed that the UK racing calendar remains unaffected.

Racecards at Salisbury, Wolverhampton, Catterick and Fontwell went ahead as planned over the weekend, as will other upcoming fixtures.

Sources close to the investigation suggest that, so far, the damage appears to be limited to internal systems and data, with no indication that critical racing operations or customer-facing platforms have been compromised.

However, the full scope of the breach remains under assessment. It is not yet known whether a ransom demand was issued or if any sensitive data was exfiltrated.

The attack on the BHA follows a recent spate of cyber incidents targeting major UK institutions.

High street retail giant Marks and Spencer recently reported a "highly sophisticated and targeted" ransomware attack over the Easter period, with losses estimated at £300 million.

Meanwhile, the Co-op also suffered a cyberattack that affected its supermarket and funeral businesses.

Cartier, NorthFace, Dior, Adidas and Victoria’s Secret have also fallen victim in recent weeks.

The timing of the BHA breach, just before one of the sport's most prestigious events, has increased concerns about the growing threat cyber criminals pose to critical sectors, including sport.

Brian Higgins, a security specialist at Comparitech, warned anyone who has had contact with BHA to “keep checking the BHA comms, verify the credentials of any contacts or sources and don't engage with third parties until the situation is safely resolved."

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said the attack "highlights a broader trend of diverse organisations facing cyber threats. It emphasises that cybersecurity is not merely a technological challenge, but a human-centric one. Organisations must foster a culture of security at all levels, recognising that educated and empowered personnel are crucial in defending against cyber risks."