iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
In what seems to be becoming a common and simple security flaw, the nation’s governing football body, Football Australia, has suffered a data breach after leaving keys to a database containing personal details openly accessible.
As reported by CyberNews, the organisation left a number of Amazon Web Services (AWS) keys exposed. The keys, which included a number of secret keys, were hardcoded into the HTML Football Australia’s website.
These secret keys grant the user access to the organisation’s AWS services, as well as the ability to control them.
In the case of Football Australia, these keys granted access to 127 digital storage containers, which were filled with the personal details of ticket buyers, as well as documents and contracts belonging to players, internal infrastructure details and source code and scripts of digital infrastructure.
“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data,” said researchers, adding that one bucket didn’t require a key for authentication.
“Moreover, one bucket did not even require authentication and contained personal information, contracts, and documents of football players,” they said.
The researchers at CyberNews believe that human error is likely the cause of the issue.
Football Australia was informed of the issue and has since fixed the exposed data. However, it has yet to release a statement on the issue.
“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” said CyberNews researchers.
The Football Australia incident comes just over a month after another Australian organisation suffered a data breach as a result of leaving an AWS database publicly accessible.
Cyber security researcher Jeremiah Fowler said he discovered a non-password-protected database owned by Melbourne-based travel agency Inspiring Vacations, which contained 112,605 records belonging largely to Australian customers. However, data belonging to customers from Ireland, New Zealand, and the UK were observed as well.
The data contained in the database came to a total of 26.8 gigabytes and included “potentially sensitive information such as high-resolution passport images, travel visa certificates, and itinerary or ticket files”, said Fowler.
The story of Inspiring Vacations spread quickly, leading to a number of media publications reporting the story inaccurately, equating the 112,605 records to as many people affected.
For example, one publication’s headline at the time of writing simply said, “Personal information of more than 112,000 people exposed in data breach”, a misinterpretation of its findings on 10 January.
Be the first to hear the latest developments in the cyber industry.
