Passports, player contracts, and more have been available online for almost two years due to a Football Australia (FA) data breach, which cyber security researchers say includes information on every Australian fan and customer of the governing body.
Lithuanian group Cybernews detected the leak and informed the FA, allowing football officials to plug the hole before the issue was made public on Thursday morning. The FA made contact with the Office of the Australian Information Commissioner (OAIC) regarding a potential data breach late on Thursday. The leak was identified when keys to the FA’s storage server were hard-coded into the HTML page of a FA website, according to Cybernews researchers.
Australians are increasingly concerned about online privacy after high-profile cybersecurity breaches. “While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” the Cybernews statement said.
Cybernews said they had access to 127 “buckets” of FA data on Amazon Web Services, which included data such as personal identifiable information of players, ticket purchases, and details and code about the FA’s digital infrastructure.
Ethical hacker and founder of Sydney-based cybersecurity consultancy Dvuln, Jamie O’Reilly, said he had independently verified the leak and traced it back to early 2022. Although O’Reilly had not reviewed the data himself, based on the Cybernews statement, he described it as “quite significant.” O’Reilly said even one bucket can compromise an entire company’s systems.
“If the Cybernews’ findings are true and there were 127 buckets exposed, this represents 127 different ways to compromise their entire cloud and all the data inside of it,” O’Reilly said. “I would hope that Football Australia is doing a comprehensive access review that dates back all the way to when this was first exposed to determine if any hackers have used this exposure to pivot into other parts of their cloud environment or business as a whole.”
The researchers believe the leak was most likely caused by human error, when a developer inadvertently left a crucial server reference in code accessible to the public. “The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data,” the Cybernews statement said.
The FA has not confirmed the leak but provided a statement on Thursday. “Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority. Football Australia takes the security of all its stakeholders seriously. We will keep our stakeholders updated as we establish more details,” the FA statement said.
A spokesperson for the OAIC said there were obligations on organisations to report breaches. “The Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach,” an OAIC spokesperson said. “Once the organisation forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable.”