Incident Details

Football Australia, the national governing authority for the sport, embedded an AWS Access Key in their website that granted access to 126 S3 Buckets containing sensitive information for players and fans.

Incident

Details of the Incident

An AWS long-term Access Key was embedded into the source code for the Football Australia website. As seen in the screenshot below (courtesy CyberNews) it looks related to Cognito:

Moreover, one of the buckets was left completely unprotected, which means it was left public and accessible without any keys. The public digital storage container contained football players’ passports and contracts.

Image by Cybernews.

Per a statement from Football Australia to CyberNews:

the exposed data includes:

• Personal identifiable information of players
• Ticket purchase information
• Internal infrastructure details
• Source code of the digital infrastructure
• Scripts of the digital infrastructure

Timeline

Long-term Impact

None yet.

Summary of Coverage

• The Sydney Morning Herald: Players’ passports, contracts exposed in Football Australia data leak - February 1, 2024
• CyberNews: Football Australia leak exposes players’ details - February 1, 2024

Cloud Security Lessons Learned

• There was no reason for an access key to be embedded into the website for the purposes of leveraging Cognito.
• Long-term access keys were not rotated for almost two years
• Football Australia has a public S3 bucket with sensitive player details in it. A Macie scan of public S3 Buckets might have caught this.
• The aforementioned bucket was also publicly listable as seen in the above screenshot. There is almost never a good reason to have an S3 bucket where anyone can list the contents.