A whopping almost 32 million records and around 110 TB of data belonging to tech users from Trackman were left exposed to the internet. The database exposed user names, email addresses, device information, IP addresses, and security tokens.
They were found by Jeremiah Fowler, a Security Researcher and co-founder of Security Discovery, who reported his findings to Website Planet. He said the records had been sitting in a non-password-protected database for an indeterminate time.
TrackMan is a company known for its swing and shot analysis technology used by professional and amateur golfers worldwide.
Potential Exploitation
Fowler said there were several potential risks with the exposed data, including sensitive user details that could be exploited for cyberattacks. TrackMan’s technology, used in golf simulators, range solutions, and launch monitors, relies on radar and imaging technology to gather precise data on ball flight and player movement.
The uncovered records included “session” reports that detailed analytics and statistics, indicating the usage of TrackMan Performance Studio, a popular tool for performance analysis.
Top broadcast networks, including the Golf Channel, BBC, and CNN World, widely used the company’s technology to deliver real-time data and enhanced viewing experiences for sports fans.
Security Risks and Potential Threats
The exposure of personal data, such as names and email addresses, raises concerns over potential phishing attacks or social engineering threats. TrackMan’s clientele includes high-profile athletes, who could be targeted due to their public profiles and financial status, although Fowler noted that there is no indication of actual misuse.
Additionally, the exposed data included GUIDs (Globally Unique Identifiers) and Wi-Fi configuration details. Although GUIDs are less sensitive than personal data, they can still provide malefactors with information that could be exploited to identify device vulnerabilities.
Similarly, Wi-Fi and hardware information can be exploited in attacks targeting specific device models or configurations, increasing the likelihood of unauthorized network access through brute force or man-in-the-middle attacks.
Recommendations for Sports Technology Firms
Fowler stressed that sports technology companies like TrackMan must implement stringent security measures, particularly when handling large-scale user data.
Best practices include encryption, multi-factor authentication, regular software updates, and access restrictions for sensitive data. Fowler advises companies to conduct regular security audits to identify potential vulnerabilities and safeguard data against unauthorized access.
While TrackMan did not respond to the disclosure notice before publication, Fowler said the database was secured shortly after his report. He clarified that his investigation is aimed solely at raising awareness about data security and does not imply any direct wrongdoing by TrackMan.
He encouraged companies to proactively secure their data repositories, as public access to such data could lead to significant risks for both entities and their users.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
