A data breach at Football Australia (FA) has exposed passports, player contracts, and more for nearly two years, encompassing information on every Australian fan and customer. The breach was detected by Lithuanian group Cybernews, prompting the FA to address the issue before its public disclosure on Thursday.
Cybernews discovered the leak and immediately informed the FA, leading to subsequent contact with the Office of the Australian Information Commissioner (OAIC) regarding the potential data breach. The breach was identified when keys to the FA’s storage server were found hardcoded into an HTML page of an FA website, according to Cybernews researchers.
While the total number of affected individuals remains unconfirmed due to responsible disclosure policies, Cybernews estimates that every customer or fan of Australian football was impacted.
Access to 127 “buckets” of FA data on Amazon Web Services was identified by Cybernews, encompassing personal identifiable information of players, ticket purchases, and details and code about the FA’s digital infrastructure.
Ethical hacker Jamie O’Reilly independently verified the leak, dating it back to early 2022. Although O’Reilly had not reviewed the data, he described it as “quite significant” based on Cybernews’ statement. O’Reilly emphasized that even one exposed bucket could compromise an entire company’s systems, and with 127 buckets exposed, there are multiple avenues for compromising the entire cloud and its data.
The researchers attribute the leak to likely human error, where a developer inadvertently left a crucial server reference in code accessible to the public. The exposed data, including player contracts and documents, poses severe threats such as identity theft, fraud, or blackmail, highlighting the urgent need for enhanced security practices.
While the FA has not officially confirmed the leak, they issued a statement on Thursday, stating, “Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority. Football Australia takes the security of all its stakeholders seriously. We will keep our stakeholders updated as we establish more details.”
The OAIC stressed that organizations have obligations to report breaches, with the Privacy Act requiring them to conduct a data breach assessment within 30 days of becoming aware of potential breaches. Once a reasonable belief of a breach is formed, organizations must notify the OAIC and affected individuals promptly.