In what is likely to be an operator or technician error, WWE left unencrypted personal details of more than 3 million customers exposed on AWS in at least two separate databases. The issue was reported to WWE on July 4, and the company swiftly removed them.
According to a report in Forbes, the discovery was made by a Kromtech researcher named Bob Dyachenko.
WWE has acknowledged the incident with a brief statement on its website: “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
There is no indication in this statement over whether the database may or may not have been accessed or downloaded by anyone other than Mr Dyachenko.
According to Forbes, all the stored data was held in plaintext, and included educational background, earnings and ethnicity, home and email addresses, birthdates, and customers’ children’s age ranges and genders where supplied.” Holding children’s age, sex and home addresses will be particularly concerning for privacy advocates.
Although the WWE statement implies a single database, it seems that a second database contained European customer data; specifically comprising “reams of information primarily on European fans, though the information contained only addresses, telephone numbers and names…”
That second database is worth considering, since names, addresses and telephone numbers will be considered protected personal information under European laws.
“Organizations like WWE which inadequately value subscriber data will, from May 2018, find themselves exposed also to GDPR fines,” warned Alan Calder, founder and executive chairman of IT Governance Ltd in an emailed comment. “A personal data breach on this scale would have to be reported to an EU supervisory authority and could well lead to a significant fine for failing to protect personal data.”
GDPR can impose penalties of up to €20 million or 4% of global turnover, whichever is the greater; and that this can be imposed even though the company may be American, located in America, and storing the data on an American server.
This is not the first time in recent weeks that AWS customers have left data exposed. Last month, three contractors left 1 terabytes of data (including the details of 198 million American voters) on an unprotected AWS S3 bucket. There have been calls for Amazon to highlight sensitive data stored insecurely; but it is the customers’ responsibility to protect it.
Even if security firms are employed by the data owner (or ‘controller’, in this case WWE), regulatory responsibility for protecting that data almost always remains with the controller under European law. SecurityWeek has reached out to both the WWE-named security firms (Smartronix and Praetorian) and will update this article with any response.
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
