The leak was independently confirmed by cybersecurity researcher Jamieson O’Reilly, founder of cybersecurity firm Dvuln.
“Considering the exposure lasted for at least 681 days, it’s plausible that external attackers discovered and utilised these keys,” he said.
Football Australia CEO James Johnson: The soccer organisation has suffered a mass cybersecurity incident.Credit: James Brickwood
“This data is highly sensitive, particularly the personally identifiable information of players and the infrastructure scripts, which could contain more credentials, leading to further unauthorised access.
“The lack of effective monitoring in this case raises questions about the security practices in place. Regular monitoring for unusual activities or unauthorised access can quickly flag potential security breaches.”
Katherine Mansted, executive director of cyber intelligence at CyberCX, said that the leak highlighted the sensitive and valuable information held by sporting organisations.
“It’s also a reminder that not all data breaches have a malicious actor behind them,” she told this masthead. “As we digitise, the risk of making mistakes grows for all of us, and we need to make sure that our cybersecurity and awareness grow with that risk.
“Even though this was a mistake, the information was accessible online for nearly 700 days, and it’s the type of information that would be highly attractive to opportunistic cyber criminals. And unfortunately it’s impossible to pull that data back.”
The breach is the latest cybersecurity incident to affect a high-profile Australian organisation.
Late last year, researchers discovered a data breach impacting Melbourne travel agency Inspiring Vacations, in which a non-password protected database containing about 112,000 records totalling 26.8 gigabytes was leaked online.
An image showing a secret key that allowed Football Australia data to leak.Credit: Jamieson O’Reilly
Tens of millions of Australians have been caught up in recent security breaches including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what’s being dubbed a “new normal” of consistent attacks and leaks.
The Optus data breach was similar to the incident affecting Football Australia in that an unprotected endpoint left the personal data of some 10 million customers publicly exposed and subsequently leaked to the dark web.
Loading
That breach led to new legislation significantly increasing penalties for serious or repeated breaches of customer data. Organisations that fail to adequately protect peoples’ data face fines of $50 million or more.
“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Attorney-General Mark Dreyfus said when introducing the legislation.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.