Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Football Australia

Incident Details

Victimized Company:Football Australia
Incident Dates:2022-03-26 (approx) to 2024-02-01
Disclosure Date:2024-02-01
Current Status:N/A

Football Australia, the national governing authority for the sport, embedded an AWS Access Key in their website that granted access to 126 S3 Buckets containing sensitive information for players and fans.


Details of the Incident

An AWS long-term Access Key was embedded into the source code for the Football Australia website. As seen in the screenshot below (courtesy CyberNews) it looks related to Cognito: Screenshot of the source of the page

Moreover, one of the buckets was left completely unprotected, which means it was left public and accessible without any keys. The public digital storage container contained football players’ passports and contracts.

Screenshot of publicly listable bucket Image by Cybernews.

Per a statement from Football Australia to CyberNews:

the exposed data includes:

  • Personal identifiable information of players
  • Ticket purchase information
  • Internal infrastructure details
  • Source code of the digital infrastructure
  • Scripts of the digital infrastructure


Date Event
March 2022 681 days prior to disclosure, the access keys are exposed (source: Sydney Morning Herald)
February 1, 2024 Responsible Disclosure disclosed

Long-term Impact

None yet.

Summary of Coverage

Cloud Security Lessons Learned

  • There was no reason for an access key to be embedded into the website for the purposes of leveraging Cognito.
  • Long-term access keys were not rotated for almost two years
  • Football Australia has a public S3 bucket with sensitive player details in it. A Macie scan of public S3 Buckets might have caught this.
  • The aforementioned bucket was also publicly listable as seen in the above screenshot. There is almost never a good reason to have an S3 bucket where anyone can list the contents.