Unprotected AWS server lets anyone get up close and personal with WWE customer data
A data leak at World Wrestling Entertainment (WWE) has left the personal data of over three million fans exposed online and at risk of theft.
Security firm Krontech has revealed that one of its researchers discovered an unprotected database that contained a plethora of customer information, including home and email addresses, dates of birth, financial earnings and genders.
According to researcher Bob Dyachenko, the unencrypted database was stored on an AWS S3 server with no password protection, meaning it was able to be accessed by anyone who knew the web address.
Speaking to Forbes, Dyachenko suggested that the server was likely misconfigured by either WWE itself or an IT partner.
He added that, although it is unclear which branch of the WWE Corporation the database belongs to, the presence of social media tracking data suggests that it probably came from one of the organisation’s marketing teams.
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured,” WWE said in a statement on its website.
“WWE utilises leading cyber security firms Smartronix and Praetorian to manage data infrastructure and cyber security and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
WWE was informed of the leak on the 4th July and immediately took down the database, although it is unclear how long it was left open for public access.
A similar incident occurred in the US, when a contractor for the Republican party exposed the personal information on more than 198 million citizens after again failing to secure an AWS S3 server.
The WWE discovery also comes in the same week that the AA was roundly criticised for failing to notify more than 100,000 customers of a data breach that occurred in April which is believed to have included names, email addresses and some credit card information.