[BreachExchange] Brazilian firm exposes personal details of thousands of soccer fans

Destry Winant destry at riskbasedsecurity.com
Thu Feb 6 10:11:46 EST 2020


https://www.zdnet.com/article/brazilian-firm-exposes-personal-details-of-thousands-of-soccer-fans/

Tens of thousands of Brazilian soccer fans have been exposed as a
publicly-accessible cloud storage bucket leaked several gigabytes of
data with sensitive information stretching back several years.

The leaky S3 bucket, investigated exclusively by ZDNet in partnership
with Brazilian cybersecurity news website The Hack, was owned by
Futebol Card, an online ticketing company that also provides member
and loyalty program management systems to a number of major soccer
clubs.

Personal data belonging to supporters of a number of Brazilian
organizations was involved in the incident, but the vast majority of
the individuals exposed are fans of São Paulo-based soccer team
Palmeiras, one of the country's most popular and successful Brazilian
clubs, with around 18 million supporters nationwide.

History repeating: How the Internet of Things is failing to learn the
security lessons of the past

The massive cyberattacks which took down some of the most popular
websites on the internet show that device manufacturers are not
learning from the mistakes of the past.

The 25GB sample analyzed contained a myriad of CSV files listing tens
of thousands of names, contact details, dates of birth, marital
status, social security numbers, payment method used for the
membership subscription and even details such as shirt sizes and a log
of comments fans made when signing up.

The CSV files exposed address details of thousands of soccer fans


In addition, the bucket in question contained information from the
MIFARE contactless cards used to access the stadia, such as individual
codes and status of the card - whether it had been generated, received
by the user, or canceled.

Considering the vast amount of spreadsheets involved in the sample and
the likelihood names might appear more than once in the files, it was
not possible to estimate the exact amount of soccer fans impacted.

The files contained information such as marital status and even shirt sizes


However, one of the reports in the analyzed sample had 44,000 active
members and 9,700 inactive supporters, for reasons that could include
outstanding membership payments. Numbers from a fiscal watchdog for
Palmeiras suggest the club's base has about 67,000 season ticket
holders, of which 60,000 pay their membership fees regularly.

The modern digital economy impacts every aspect of an enterprise,
including the data center. IDC finds that converged infrastructure is
one solution that propels enterprise modernization efforts, and
reveals FlexPod as a robust converged infrastructure...

In addition, the unprotected server had a folder with several graphic
materials used for marketing campaigns, including CSS style sheets and
high-resolution images. Along with the personal information available
on the spreadsheets, the graphic material could provide cybercriminals
with a handy set of tools to create highly credible phishing campaigns
under the guise of online marketing.

Futebol Card was notified of the leaky bucket on January 30 and
rectified the issue the day after, even though it is not known how
long the records were exposed for and how many people have accessed
the information until the problem was solved.

The website and Avanti Palmeiras, the membership scheme of Brazilian
soccer club Palmeiras, did not respond to requests for comment at the
time of publication.


More information about the BreachExchange mailing list