The World Baseball Softball Confederation (WBSC) left open a data repository exposing nearly 50,000 files, some of which were highly sensitive, the Cybernews research team has discovered.
On June 5th, our researchers discovered a misconfigured Amazon Web Services (AWS) bucket storing nearly 48,000 files.
A bucket is a container for storing data within AWS’s cloud storage system. The misconfiguration exposed the repository’s contents.
According to our team, the exposed files belonged to the WBSC, the world governing body for baseball, softball, and Baseball5 – a recently introduced sport combining the previous two.
The WBSC, headquartered in Switzerland, was established in 2013 and currently has 141 countries as members located in Asia, Africa, the Americas, Europe, and Oceania.
Worryingly, among the contents of the misconfigured AWS bucket, which the WBSC closed after being contacted by the team, were copies of 4,600 national passports.
We have reached out to the WBSC for further comment but did not receive a response before publishing this article.
“Since passports contain a significant amount of personal information, including full names, date of birth, and a unique passport number, cyber criminals could use them to impersonate victims and steal their identities.”the team said.
What are the risks of exposing passport data?
Government-issued documents are arguably the most important form of identification a person holds. According to the team, having passport data exposed puts individuals at risk of identity theft.
“Since passports contain a significant amount of personal information, including full names, date of birth, and a unique passport number, cyber criminals could use them to impersonate victims and steal their identities,” the team said.
Malicious actors can use stolen information to engage in fraudulent activities like opening bank accounts, applying for loans, and executing other types of fraud.
Cybercrooks can also use stolen IDs to create counterfeit passports for traveling purposes. Stolen details can be sold on dark web forums, which later are sold to third parties that develop fake documents.
“Direct financial loss is also a possible risk. Identity thieves may attempt to gain unauthorized access to bank accounts or credit cards and use stolen identity to make fraudulent transactions,” the team said.
Another risk people whose passports were exposed have to deal with is spear phishing attacks. Criminals with access to target IDs can combine it with publicly available information to devise convincing social engineering attacks.
That way, cybercriminals can coax victims into providing further information or manipulate them into taking specific actions.
What should the WBSC do?
- Retrospectively examine the access logs to determine whether third parties have accessed data in the bucket
- If the bucket has been breached, alert the Data Protection Authorities
- Change the bucket’s access settings and secure sensitive data using AWS’ server-side encryption, such as KMS or AWS s3-managed keys
- Consider implementing best security practices such as regular audits, automated security checks, and employee training
WBSC is hardly the first sports governing body to leak passports. Earlier this year, the team discovered that Le Mans Endurance Management, operating the FIA World Endurance Championship’s website, exposed the data of hundreds of drivers by leaking their IDs and driver’s licenses.
More from Cybernews:
Subscribe to our newsletter