In what is likely to be an operator or technician error, WWE left unencrypted personal details of more than 3 million customers exposed on AWS in at least two separate databases. The issue was reported to WWE on July 4, and the company swiftly removed them.
According to a report in Forbes, the discovery was made by a Kromtech researcher named Bob Dyachenko.
WWE has acknowledged the incident with a brief statement on its website: “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
There is no indication in this statement over whether the database may or may not have been accessed or downloaded by anyone other than Mr Dyachenko.
According to Forbes, all the stored data was held in plaintext, and included educational background, earnings and ethnicity, home and email addresses, birthdates, and customers’ children’s age ranges and genders where supplied.” Holding children’s age, sex and home addresses will be particularly concerning for privacy advocates.
Although the WWE statement implies a single database, it seems that a second database contained European customer data; specifically comprising “reams of information primarily on European fans, though the information contained only addresses, telephone numbers and names…”
That second database is worth considering, since names, addresses and telephone numbers will be considered protected personal information under European laws.
“Organizations like WWE which inadequately value subscriber data will, from May 2018, find themselves exposed also to GDPR fines,” warned Alan Calder, founder and executive chairman of IT Governance Ltd in an emailed comment. “A personal data breach on this scale would have to be reported to an EU supervisory authority and could well lead to a significant fine for failing to protect personal data.”
GDPR can impose penalties of up to €20 million or 4% of global turnover, whichever is the greater; and that this can be imposed even though the company may be American, located in America, and storing the data on an American server.
This is not the first time in recent weeks that AWS customers have left data exposed. Last month, three contractors left 1 terabytes of data (including the details of 198 million American voters) on an unprotected AWS S3 bucket. There have been calls for Amazon to highlight sensitive data stored insecurely; but it is the customers’ responsibility to protect it.
Even if security firms are employed by the data owner (or ‘controller’, in this case WWE), regulatory responsibility for protecting that data almost always remains with the controller under European law. SecurityWeek has reached out to both the WWE-named security firms (Smartronix and Praetorian) and will update this article with any response.