Excerpt from Theguardian Article – Published on Feb 01, 2024

Football Australia (FA) finds itself embroiled in a major data breach, revealing confidential information including player contracts and personal details of Australian football enthusiasts. Cybernews researchers discovered the breach, which signaled potential risks to the stakeholders in FA’s privacy and security because it went unnoticed for almost two years. Cybernews, a prominent Lithuanian cybersecurity group, identified the breach and promptly alerted FA officials, enabling swift action to address the issue before it became public knowledge on Thursday morning. The leak, originating from the hard-coded storage server keys embedded within an FA website’s HTML page, was a crucial discovery by Cybernews researchers.

While the precise number of affected individuals remains unconfirmed, Cybernews estimates that the breach encompasses every customer and fan associated with Australian football. Accessing 127 “buckets” of FA data on Amazon Web Services, the breach included personal identifiable information about players, ticket purchases, and intricate details concerning FA’s digital infrastructure. Jamie O’Reilly, an ethical hacker and founder of Dvuln, a cybersecurity consultancy in Sydney, independently verified the breach, tracing its origins back to early 2022. Despite not reviewing the data firsthand, O’Reilly echoed Cybernews’ assessment, emphasizing the gravity of the situation. He underscored the potential vulnerabilities posed by each exposed bucket, which could compromise FA’s entire cloud infrastructure.

The leak is believed to have resulted from human error, as a developer inadvertently left crucial server references accessible to the public within the website’s code. Cybernews emphasized the critical nature of the exposed data, which includes contracts and documents of football players, posing significant risks such as identity theft, fraud, and blackmail. While FA has yet to confirm the breach officially, they issued a statement acknowledging the reports and asserting their commitment to investigating the matter with utmost priority. Stressing their dedication to stakeholder security, FA pledged transparency in updating stakeholders as the investigation progressed.

Responding to the breach, a spokesperson for the Office of the Australian Information Commissioner (OAIC) emphasized the legal obligations on organizations to report breaches promptly. Under the Privacy Act, organizations are required to conduct data breach assessments within 30 days of suspicion and notify affected individuals and the OAIC promptly thereafter. As the FA navigates the aftermath of the breach, questions arise regarding the adequacy of their cybersecurity protocols and the potential impact on stakeholder trust within the Australian football community.

To delve deeper into this topic, please read the full article in the Theguardian.