https://cybernews.com/security/aston-villa-fc-security-gaps-expose-fans/I’ll try and neaten this post up [wont let me put it as a quote, I give up/ feel free to merge/delete] , but just got this from Amfy, I think via a CDWeebully associate.
Aston Villa’s gates have security gaps: fans exposedAston Villa FC
Aston Villa Football Club (AVFC) left a publicly leaking Amazon Web Services (AWS) S3 bucket containing the personally identifiable information of 135,770 individuals. The affected fans are vulnerable to spear phishing, social engineering attacks, and identity theft attempts.
On March 13th, 2024, the Cybernews research team discovered a publicly accessible AWS S3 bucket (cloud storage service). The storage likely belongs to Aston Villa Football Club, as it contained 135,770 member records among 5842 exposed CSV files used for storing data.
The exposed personal information contains the following:
Full names
Dates of Birth
Home addresses
Phone numbers
Email addresses
Membership details
Purchase details (date, method of payment, type of membership purchased).
Cybersecurity researchers warn that “the exposure of personally identifiable information presents a series of severe information security implications and risks to the club’s fans.”
The leaking bucket was labeled “prod” in its name, which suggests it could be used to store and manage data used in AVFC’s operational and production environments.
After responsible disclosure, the bucket is no longer public. Cybernews has reached out to AVFC for additional comments, but we have yet to receive a response.
Therefore, it’s unclear what caused the leak or whether other third parties have compromised the bucket.
Founded in 1874, Aston Villa Football Club is a professional football club based in Aston, Birmingham, England. Villa competes in the Premier League, the highest level of the English football league system, and has recently qualified for next season’s Champions League, Europe’s elite competition.
The AVFC official website has 1.1 million monthly visitors, according to Similarweb.
Many risks aheadFor cybercriminals, the data is a treasure trove that may be used for many financially motivated attacks.
The more data crooks can leverage, the more sophisticated social engineering attacks they can orchestrate.
“Attackers could engage in manipulative tactics aimed at persuading unsuspecting individuals to divulge further sensitive information or undertake actions that compromise their security. This may involve impersonating trusted entities to elicit additional personal or financial information,” researchers warn.
Villa fans should beware that the availability of exposed email addresses and phone numbers can be used for spear phishing campaigns specifically designed for each exposed individual.
Cybercriminals may craft deceptive emails, text messages, or calls purporting to originate from legitimate sources. Such scams often seem genuine, and victims unintentionally fall for them. Avoid clicking on dangerous links, downloading attachments, divulging login information, and follow other good cyber hygiene practices.
“Personal safety and security are seriously threatened when the residential address is made public. Doxxing incidents violate a person’s privacy. The consequences are not limited to cyberspace and could involve other illegal activities that are made easier by knowing exactly where the person lives, such as theft, burglary, or physical incursion,” our research team warns.
Encryption adds an additional security layerFor AVFC, the Cybernews research team recommends retrospectively monitoring access logs to assess whether unauthorized actors have accessed the exposed bucket. Of course, the first step is always to secure the S3 bucket to prevent any further unauthorized access.
Even when storage gets compromised, the encryption of sensitive data would protect it from being accessed by unauthorized parties.
“AWS's server-side encryption tools, such KMS or AWS s3-managed keys, should be used to encrypt sensitive data and modify the bucket’s access settings,” our researchers recommend.
The owner should notify the Data Protection Authorities (ICO) if the bucket has been compromised.