Add Category
Millions of football participants across Australia have potentially had their personal information leaked online after a security flaw was identified in Football Australia's (FA) digital infrastructure.
According to independent cybersecurity research publication Cybernews.com, the national governing body accidentally left plain-text digital "keys", including "secret keys", lingering in the publicly-accessible code of its sub-domain, meaning anybody could access it if they knew where to look.
These keys supposedly provided the publication's researchers with access to 127 digital storage containers which contain data and private details from grassroots participants all the way through to national team players.
Cybernews claim that the various buckets of data included players' personal details, contracts, and passports, as well as additional data about ticket purchase information, and detailed source code and scripts of FA's digital infrastructure.
The publication was contacted by ABC on Thursday but are yet to provide proof of the data they obtained in order to verify their access.
"While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected," the researchers said.
“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasising the urgent need for improved security practices and measures to safeguard sensitive data."
Cybernews say they contacted FA about the data breach, and that the governing body fixed the issue before the researchers published their story.
They claim the most likely reason behind the data breach was human error, "as a developer likely inadvertently left a reference hidden in a script accessible to the public. Nevertheless, the mistake represents a critical data exposure incident".
On Wednesday afternoon, FA's centralised registration platform PlayFootball was taken offline for a few hours, returning "504 Error" messages when people tried to register for upcoming competitions. The platform went back online later that evening.
In a statement on Thursday, FA said it was "aware of reports of a possible data breach and is investigating the matter as a priority".
"Football Australia takes the security of all its stakeholders seriously.
"We will keep our stakeholders updated as we establish more details."
It's unknown how long this vulnerability has existed within FA's digital infrastructure, or whether any other individuals or groups identified and subsequently accessed private information during that time.
This is the latest in a string of mass data breaches that have exposed the details of millions of people online.
Last year, following a similar incident at Optus, new legislation was introduced that significantly increased fines of $50 million or more for companies that lose, breach, or expose customer data to the public.