Aston Villa’s gates have security gaps: fans exposed


Aston Villa Football Club (AVFC) left a publicly leaking Amazon Web Services (AWS) S3 bucket containing the personally identifiable information of 135,770 individuals. The affected fans are vulnerable to spear phishing, social engineering attacks, and identity theft attempts.

On March 13th, 2024, the Cybernews research team discovered a publicly accessible AWS S3 bucket (cloud storage service). The storage likely belongs to Aston Villa Football Club, as it contained 135,770 member records among 5842 exposed CSV files used for storing data.

The exposed personal information contains the following:

ADVERTISEMENT
  • Full names
  • Dates of Birth
  • Home addresses
  • Phone numbers
  • Email addresses
  • Membership details
  • Purchase details (date, method of payment, type of membership purchased).

Cybersecurity researchers warn that “the exposure of personally identifiable information presents a series of severe information security implications and risks to the club’s fans.”

The leaking bucket was labeled “prod” in its name, which suggests it could be used to store and manage data used in AVFC’s operational and production environments.

After responsible disclosure, the bucket is no longer public. Cybernews has reached out to AVFC for additional comments, but we have yet to receive a response.

Therefore, it’s unclear what caused the leak or whether other third parties have compromised the bucket.

Founded in 1874, Aston Villa Football Club is a professional football club based in Aston, Birmingham, England. Villa competes in the Premier League, the highest level of the English football league system, and has recently qualified for next season’s Champions League, Europe’s elite competition.

The AVFC official website has 1.1 million monthly visitors, according to Similarweb.

avfc-redacted
ADVERTISEMENT

The Club investigates the incident

Aston Villa released a public statement after the Cybernews article was published.

“First and foremost, Aston Villa takes the privacy and security of its fans’ personal data extremely seriously and is carrying out a full and robust investigation into these reports,” the Club stated.

The Club believes that the reports relate to a vulnerability in one of its service provider’s systems, “which the Club understands has been closed and that there is no evidence to suggest that any password or payment data has been compromised.”

“The Club continues to work closely with the service provider, who is carrying out its own forensic investigation,” AVFC’s statement reads.

The Club reassures fans that it is taking all appropriate measures to ensure data security, including reporting the incident to the Information Commissioner’s Office.

The Club will continue to communicate any updates from the ongoing investigation.

Many risks ahead

For cybercriminals, the data is a treasure trove that may be used for many financially motivated attacks.

The more data crooks can leverage, the more sophisticated social engineering attacks they can orchestrate.

ADVERTISEMENT

“Attackers could engage in manipulative tactics aimed at persuading unsuspecting individuals to divulge further sensitive information or undertake actions that compromise their security. This may involve impersonating trusted entities to elicit additional personal or financial information,” researchers warn.

Villa fans should beware that the availability of exposed email addresses and phone numbers can be used for spear phishing campaigns specifically designed for each exposed individual.

Cybercriminals may craft deceptive emails, text messages, or calls purporting to originate from legitimate sources. Such scams often seem genuine, and victims unintentionally fall for them. Avoid clicking on dangerous links, downloading attachments, divulging login information, and follow other good cyber hygiene practices.

“Personal safety and security are seriously threatened when the residential address is made public. Doxxing incidents violate a person’s privacy. The consequences are not limited to cyberspace and could involve other illegal activities that are made easier by knowing exactly where the person lives, such as theft, burglary, or physical incursion,” our research team warns.

Encryption adds an additional security layer

For AVFC, the Cybernews research team recommends retrospectively monitoring access logs to assess whether unauthorized actors have accessed the exposed bucket. Of course, the first step is always to secure the S3 bucket to prevent any further unauthorized access.

Even when storage gets compromised, the encryption of sensitive data would protect it from being accessed by unauthorized parties.

“AWS's server-side encryption tools, such KMS or AWS s3-managed keys, should be used to encrypt sensitive data and modify the bucket’s access settings,” our researchers recommend.

The owner should notify the Data Protection Authorities (ICO) if the bucket has been compromised.

Updated on May 27th [08:30 a.m. GMT] with a statement from AVFC.

ADVERTISEMENT