An IT error may have exposed the personal information of millions of WWE fans, according to news that surfaced yesterday.
As reported by Forbes, Kromtech’s Bob Dyachenko uncovered a large, unprotected database belonging to the sports entertainment company which contained data on more than three million users.
Apparently the data, which included home and email addresses, dates of birth and gender types, was open to any individual who knew the web address to search and was sat on an Amazon Web Services S3 server, which is believed to have not been protected by a username or password and was therefore openly accessible.
It is not currently known which particular branch of the WWE Corporation the database came from, but as social media tracking data was included there are suspicions it may belong to a marketing team, with evidence pointing towards the WWE Network.
Dyachenko made the WWE aware of the issue on July 4, and the company has since responded with the following statement to Prowrestling.net:
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
Speaking to Infosecurity Mark James, IT security specialist at ESET, said that there should never be any public-facing data without some form of authentication needed to access it.
“Security measures are in place for a reason but occasionally, either through design or during testing, they are switched off to make life easier,” he added. “It is then overlooked or purposely left without security because it is seen as not being a concern in the first place. We need to understand that all data has a value. With tools available for anyone to download and use that enable them to simply scan ports and look for open databases, we must assume that every database is a potential target.”
Raj Samani, chief scientist and Fellow at McAfee, said: "This latest leak is yet another indication that organizations need to wake up to the ever present threat of a breach or attack. As companies collect more and more data, they may be unconsciously shooting themselves in the foot in their efforts to be completely secure."