Football Australia reportedly accidentally leaks player contracts, fan data access online
Football Australia says it is aware of reports it accidentally leaked secret keys online that threaten the personal information of players and fans.
Cybernews is reporting the private information – including player contracts, passports, and other personal details – were accessible in 127 “buckets of data” that should normally be locked to the public.
Researchers found Australia’s football governing body “left plain-text Amazon Web Services (AWS) keys – including secret keys – hardcoded into the HTML page of its subdomain”.
Football Australia reportedly amended the problem after being alerted by the researchers.
In a statement, the sport’s governing body said it was investigating the matter.
“Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority,” the statement read.
“Football Australia takes the security of all its stakeholders seriously. We will keep our stakeholders updated as we establish more details.”
Per Cybernews, extremely sensitive information was made public and easily accessible.
“One bucket did not even require authentication and contained personal information, contracts, and documents of football players,” the researchers said.
“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected.
“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data.”
The researchers believe it was human error that led to the keys being published online, rather than a deliberate cyberattack.
