Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Personal data exposed in Football Australia data leak after database left accesible

In what seems to be becoming a common and simple security flaw, the nation’s governing football body, Football Australia, has suffered a data breach after leaving keys to a database containing personal details openly accessible.

user icon Daniel Croft
Thu, 01 Feb 2024
Personal data exposed in Football Australia data leak after database left accesible
expand image

As reported by CyberNews, the organisation left a number of Amazon Web Services (AWS) keys exposed. The keys, which included a number of secret keys, were hardcoded into the HTML Football Australia’s website.

These secret keys grant the user access to the organisation’s AWS services, as well as the ability to control them.

In the case of Football Australia, these keys granted access to 127 digital storage containers, which were filled with the personal details of ticket buyers, as well as documents and contracts belonging to players, internal infrastructure details and source code and scripts of digital infrastructure.

============
============

“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data,” said researchers, adding that one bucket didn’t require a key for authentication.

“Moreover, one bucket did not even require authentication and contained personal information, contracts, and documents of football players,” they said.

The researchers at CyberNews believe that human error is likely the cause of the issue.

Football Australia was informed of the issue and has since fixed the exposed data. However, it has yet to release a statement on the issue.

“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” said CyberNews researchers.

The Football Australia incident comes just over a month after another Australian organisation suffered a data breach as a result of leaving an AWS database publicly accessible.

Cyber security researcher Jeremiah Fowler said he discovered a non-password-protected database owned by Melbourne-based travel agency Inspiring Vacations, which contained 112,605 records belonging largely to Australian customers. However, data belonging to customers from Ireland, New Zealand, and the UK were observed as well.

The data contained in the database came to a total of 26.8 gigabytes and included “potentially sensitive information such as high-resolution passport images, travel visa certificates, and itinerary or ticket files”, said Fowler.

The story of Inspiring Vacations spread quickly, leading to a number of media publications reporting the story inaccurately, equating the 112,605 records to as many people affected.

For example, one publication’s headline at the time of writing simply said, “Personal information of more than 112,000 people exposed in data breach”, a misinterpretation of its findings on 10 January.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.