A security researcher has allegedly found World Wrestling Entertainment (WWE) to be storing personally identifiable information (PII) on three million of its fans in plain-text on an AWS S3 server.
Forbes reports that the huge database includes home and email addresses, birth dates, as well as customers’ children’s age ranges and genders, educational background, earnings and ethnicity.
Kromtech’s Bob Dyachenko, who reportedly alerted Forbes to the database, says the database is easily reachable by anyone over the web who knows the address, and it can even be searched.
Forbes claims it analysed samples of data provided by Dyachenko and found it all to be in plain text, with no username or password protection.
Dyachenko told Forbes such an error would most likely be a misconfigured database by WWE itself or an IT partner, based on other similar Amazon-hosted leaks.
A notable one was the leak of details of 198 million voters on an open database thanks to a Republican Party marketing contractor.
The data is suspected to be from WWE’s marketing team as it’s alleged to contain “social media tracking data”.
WWE was altered to the leak on 4 July and swiftly made the data inaccessible.
Commenting on this, Ben Herzberg, research group manager at Imperva, said, “This is yet another heavyweight leak (pun intended) where the ease of cloud deployments probably made someone forget the basics. If you put it out there, someone will take it. This is another example of why each deployment operation of data or applications must be bolted in with security mechanisms, and why simply putting something on a cloud platform does not make it secure.”
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a potential vulnerability of a database housed on a third-party platform,” a spokesperson from WWE told Forbes.
“In today’s data-driven world, large companies store information on third-party platforms and unfortunately have been subject to similar vulnerabilities. WWE utilises leading cyber-security firms to proactively protect our customer data.”
The spokesperson told Forbes it is working with “a leading cyber-security firm” to understand how the leak happened.
Raj Samani, chief scientist and fellow at McAfee, said in a statement: “Companies need to focus on building a fully integrated security system with automated monitoring in place to ensure that they are always one step ahead. Finding the right combination of people, process and technology is the key to effectively protecting the organisation’s data, detecting any threats and, when targeted, having the capability to rapidly correct affected systems.”
This article originally appeared on SC Media UK