The Australian Football Federation (Football Australia) recently suffered a major data breach that exposed confidential information of both players and fans.
Football Australia left Amazon Web Services (AWS) keys publicly accessible online. This allowed access to over 100 data buckets containing sensitive documents like player contracts and passports as well as customer ticket purchase records.
Though the data exposure was likely due to human error rather than a cyberattack, the keys were accessible for over 681 days before being discovered. This raises concerns that external attackers may have already accessed and exfiltrated data.
Researchers estimate that personal information of every Australian soccer fan may have been compromised in the breach. The exposed data poses serious privacy risks and could be exploited for identity theft, fraud or extortion.
Breach Highlights Security Risks of Sports Organizations
The Football Australia breach highlights that sports bodies hold highly valuable and sensitive information on players, employees and fans. Regular security monitoring could have quickly detected the misconfigured AWS buckets, but the lengthy data exposure suggests inadequate practices to safeguard sensitive information.
Football Australia's Secret Key that led to the breach. (Source: smh.com.au)
This incident follows several other high-profile Australian data breaches last year, including at Optus, which exposed the information of over 10 million people. This epidemic of breaches has prompted the government to introduce harsher penalties for organizations that mishandle Australians' data.
Football Australia says it is investigating the breach as a priority and will update stakeholders. Nevertheless, the event underscores the need for all companies holding personal data to rigorously assess and strengthen their cybersecurity controls.
The total number of people who have been affected by the breach is currently unknown, but Football Australia has said that it’s very likely every single customer or fan was affected by it.
What Should You Do If You Have Been Affected?
In case your data is a part of the breach, we highly recommend that you change your passwords and use multi-factor authentication on all your accounts. Avoid using the same password across multiple accounts.
If you receive any suspicious email asking for personal information, then it’s best to avoid replying to it as it could be trying to gain access to your accounts. Download an antivirus, such as TotalAV, so you’re protected from cyber attacks.
It may not be possible, however, to always protect yourself from such attacks, as shown by this Football Australia breach. Sometimes, data breaches occur due to human errors and in those cases, it can be difficult to protect your information.