Welsh Rugby Union member addresses, names exposed


Wales’ rugby overseers, the Welsh Rugby Union (WRU), have exposed a dataset containing the personal details of nearly 70,000 of its members.

Rugby and cybersecurity have at least one thing in common – poor defense leads to defeat. Recent findings from the Cybernews research team suggest that the WRU should plug security holes in its cyber hull as the organization exposed thousands of its members.

According to the team, the WRU left a publicly accessible Amazon Web Services (AWS) Simple Storage Service (S3) bucket. The exposed instance contained 1419 text files with details on 69,317 of WRU’s members.

ADVERTISEMENT

WRU membership grants members rights to priority ticket access, exclusive content, and other members-only perks. Meanwhile, the WRU is a governing body for rugby in the country of Wales, which is a part of the United Kingdom but competes as a separate entity in rugby competitions and other sports such as football.

After we published the findings, WRU issued a statement, saying the organization has launched an investigation into “a suspected cyber incident.”

“We believe they relate to one of our service provider’s systems and we are working closely with the provider, which is also implementing its own in-depth inquiry,” reads the WRU's statement.

The Welsh rugby overseer said all of the data “has since been removed from the online source and it has already been established that no password or payment information has been compromised.” WRU added that no other suspicious activities were detected on the organization's systems.

WRU data sample
Sample of the leaked data. Image by Cybernews.

What WRU member data was exposed?

Researchers claim that the exposed instance contained a trove of data on tens of thousands of the WRU’s members, such as:

  • Full names
  • Dates of birth
  • Home addresses
  • Phone numbers
  • Email addresses
  • Date of membership purchase
  • Method of paying for membership
  • Type of membership purchased
ADVERTISEMENT

The exposed instance was named “prod,” which usually means “production,” indicating that the WRU used the bucket to store and manage data used in its operational environment.

Exposing the personal details of members presents severe information security implications for individuals whose data was leaked. For example, the team claims that malicious actors can exploit the data to perform social engineering attacks.

“By leveraging the data, attackers could engage in manipulative tactics aimed at persuading unsuspecting individuals to divulge further sensitive information or undertake actions that compromise their security,” our researchers said.

Moreover, exposed email addresses and phone numbers provide fertile ground for spear phishing or other targeted social engineering campaigns. Threat actors can build on leaked details to craft deceptive communications, including emails, messages, or calls, purporting to originate from legitimate sources.

“Because the scam might seem genuine, victims could unintentionally fall for it, including downloading infected attachments, clicking on dangerous links, or divulging login information,” the team said.

Another means to abuse the leaked information is what cybersecurity experts call doxxing, or the exposure of home addresses. Malicious actors may use the leaked details for theft, burglary, or physical incursion.

How to mitigate the leak?

To mitigate the dangers after exposing data stored on AWS S3 buckets, researchers advise retrospectively monitoring access logs and assessing whether the bucket has been accessed by unauthorized actors.

Admins should also employ AWS's server-side encryption tools, such as KMS or AWS s3-managed keys, to encrypt sensitive data and modify the bucket’s access settings.

WRU is hardly the first governing sports agency to leak user data. Earlier this year, researchers discovered that Australia’s football governing body, Football Australia, leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ personal data and players’ contracts and documents.

ADVERTISEMENT

Sports-related organizations are a ripe target for cybercriminals. For example, France’s governing body of football, the French Football Federation (FFF), has supposedly had its database stolen, exposing the details of over ten million professional and non-professional football players.

Updated on May 27th [08:35 a.m. GMT] with a statement from WRU.