Millions of Australian football participants have potentially had their personal information leaked online after a security breach was identified in Football Australia’s (FA) digital infrastructure.
According to independent cybersecurity research publication Cybernews.comThe national governing body accidentally left clear-text digital “keys,” including “secret keys,” lying around in the publicly accessible code of its subdomain, meaning anyone could access them if they knew where to look.
These keys would have allowed the publication’s researchers to access 127 digital storage containers containing data and private information ranging from basic participants to national team players.
Cybernews claims the various data groups included players’ personal information, contracts and passports, as well as additional data on ticket purchase information, as well as detailed source code and scripts of the FA’s digital infrastructure.
The publication was contacted by ABC on Thursday but has yet to provide proof of the data obtained to verify its access.
“While we cannot confirm the total number of individuals affected, as this would require downloading the entire data set, which contradicts our responsible disclosure policies, we believe that every customer or fan of Australian rules football has been affected,” the researchers said.
“The exposed data, including football players’ contracts and documents, poses a serious threat as attackers could exploit this information for identity theft, fraud or even blackmail, highlighting the urgent need for improved security practices and measures to protect sensitive data.”
Cybernews claims to have contacted the FA about the data breach and that the governing body resolved the issue before the researchers published their paper.
According to them, the most likely reason for the data breach was human error, “as a developer likely inadvertently left a hidden reference in a publicly accessible script. Nevertheless, the error represents a critical data exposure incident.”
On Wednesday afternoon, PlayFootball, the FA’s centralised registration platform, went offline for a few hours, returning ‘504’ error messages when users tried to register for upcoming competitions. The platform was brought back online later that evening.
In a statement on Thursday, the FA said it was “aware of reports of a possible data breach and is investigating the matter as a matter of priority”.
“Football Australia takes the safety of all its stakeholders seriously.
“We will keep our stakeholders informed as we establish more details.”
It is unclear how long this vulnerability has existed within FA’s digital infrastructure, or whether other individuals or groups have been identified and subsequently accessed private information during this time.
It is the latest in a series of massive data breaches that have exposed millions of people’s information online.
Last year, following a similar incident at OptusNew legislation has been introduced that dramatically increases fines of $50 million or more for companies that lose, breach or expose customer data to the public.