Football Australia data breach affects ‘every customer or fan’: how your details could be exposed
Human error is believed to have caused the mass data breach of a cache of sensitive player information as well as the details of ‘every customer and fan’ of Football Australia.
Elite Australian soccer players and their fans have had a cache of personal information – including contracts, passports and ticket purchase details – leaked online in the nation’s latest data breach.
Football Australia – which has been riding high on the Matildas making the World Cup semi-finals last year – has launched an investigation into the mass leak, saying in a three-sentence statement that it “takes the security of all its stakeholders seriously”.
Independent cybersecurity research site Cybernews released details of the break, which involved up to 127 buckets of data, including ticket buyers’ personal information, players’ contracts and documents.
Cybernews researchers said they could not quantify how many people were caught up in the data leak but believed that “every customer or fan of Australian football was affected”.
According to FA’s latest national participation report, the code attracted 1.53 million players across its programs.
The release of such sensitive data exposes players and fans to potential identity theft and other financial crime, with organised crime gangs targeting a raft of Australian companies in the past 18 months, given how lucrative such leaks can be.
FA was yet to confirm details of the breach, which Cybernews reported as being the result of “human error”.
“Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority,” the organisation said.
“Football Australia takes the security of all its stakeholders seriously. We will keep our stakeholders updated as we establish more details.”
A Cybernews research team said FA had left plain-text Amazon Web Services keys – including secret keys – hardcoded into the HTML page of its subdomain.
“While we cannot confirm the total number of affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate every customer or fan of Australian football was affected,” the researchers said.
“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data.”
Cybernews said the cause was most likely human error, with a developer accidentally leaving a reference hidden in code accessible by the public.
Stan buy me: Optus mulls sport deal
Speculation over the future of Optus Sport as a standalone subscription offering at the telco has been rife, and its key asset for a potential buyer is the English Premier League.
Victory leap into third after quickfire second half goals
Melbourne Victory is suddenly back up into third on the A-League Men’s ladder after a 2-0 win over Perth Glory on Saturday night. Catch up with the latest news from the weekend’s action.