Football Australia reports data leak exposing players and fan data
Take action: The AWS keys need to be secured, not leaked for 2 years. Be very mindful of cloud access keys.
Learn More
Football Australia experienced a significant data breach that exposed sensitive information of Australian soccer players and potentially affected all local customers or fans. Football Australia inadvertently made public plain-text Amazon Web Services (AWS) keys, leading to unauthorized access to 127 digital storage containers.
These containers held a wealth of personal data, including players':
- passports,
- contracts,
- personal documents,
- customers' ticket purchase details
- internal infrastructure information.
This incident, believed to stem from human error rather than a deliberate cyberattack, could have serious implications, including identity theft, fraud, or blackmail, due to the sensitive nature of the exposed data.
Despite the inability to confirm the exact number of affected individuals due to responsible disclosure policies, it's estimated that the breach impacted every Australian football fan or customer.
The exposure lasted for at least 681 days, raising concerns that external attackers might have discovered and exploited the exposed AWS keys. This prolonged vulnerability highlights significant lapses in monitoring and cybersecurity practices, underlining the importance of regular checks for unusual activities or unauthorized access to prevent potential security breaches.
Football Australia has acknowledged the potential data leak and is conducting a priority investigation.
