Sensitive details of 3 million WWE fans exposed on unprotected cloud storage
7 July 2017 |
Personal details of as many as 3 million WWE fans were found exposed after a security researcher discovered an unprotected WWE database on Amazon's cloud server.
The unprotected WWE database contained income details, addresses, educational background and ethnicity of millions of American wrestling fans.
The said database was discovered by Bob Dyachenko from security firm Kromtech earlier this week. Following the discovery, he promptly informed WWE Corporation on 4th July, revealing the nature of the exposed data and contents therein.
WWWE Corporation has confirmed that it has removed the unsecured database from the cloud server and is investigating a potential vulnerability of the database.
Dyachenko discovered that the database was not protected by any username or password and stored information on WWE fans in plain text. The information included income details, addresses, educational background, ethnicity, email addresses, birthdates, as well as gender and age ranges of children, the latter being optional requirements.
First reported by Forbes, the unsecured database on Amazon's S3 server could be accessed by anyone 'who knew the web address to search'. Even though it is not accessible anymore, it is not clear how long the database was kept on the cloud server without any password protection or added encryption. It is hence possible that the database may have been discovered by malicious hackers scanning the cloud for unprotected content.
Dyachenko believes that the database was maintained and uploaded to cloud by one of WWE Corporation's marketing teams as the data contained posts from WWE stars as well as fans. He added that information on customers in the database was similar to 'those in the account details section for customers of the WWE Network.'
Dyachenko added that a similar database containing personal information of European WWE fans was also uploaded to the Amazon cloud server. These details included addresses, telephone numbers, and names of fans but there is no information on how many European fans were exposed. WWE Corporation has assured fans that no credit card or password information were exposed through any of these databases.
"In today's data-driven world, large companies store information on third party platforms and unfortunately have been subject to similar vulnerabilities. WWE utilizes leading cyber security firms to proactively protect our customer data," it told Forbes.
This incident reminds us of a previous incident where data stored on Amazon's S3 cloud server very nearly exposed a United States' department responsible for battlefield satellite and drone surveillance imagery.
US defence contractor Booz Allen Hamilton stored classified data belonging to the said department on Amazon Web Services' S3 storage service. The data contained information on Booz Allen Hamilton engineer's remote login (SSH) keys as well as login credentials for another system owned by the contractor. If discovered by malafide hackers, the login credentials could have been used to unearth more sensitive and classified data connected to US defence departments.
“This incident serves to highlight the shared responsibility model of the cloud and reinforces the fact that while cloud applications themselves can be secure, it is up to enterprises to use the applications securely. In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively encrypted the sensitive customer PII, en route to the cloud. This would ensure that even after unauthorised access, the data would be protected,” said Anurag Kahol, CTO at Bitglass.
"Leaving classified data unprotected on the cloud is a monumental breach and that’s why it’s so important to have a way of monitoring systems – not only for the organisation’s own workers but for any contractors that are employed," said Piers Wilson, Head of Product Management at Huntsman Security.
"Organisations need to ensure nothing untoward is taking place regarding such sensitive data or that, when it does, it is immediately flagged up to security analysts who are able to take action – without burying those analysts in false alarms.”