It has been reported that tens of thousands of Brazilian soccer fans have been exposed as a publicly-accessible cloud storage bucket leaked several gigabytes of data with sensitive information stretching back several years. The leaky S3 bucket, investigated exclusively by ZDNet in partnership with Brazilian cybersecurity news website The Hack, was owned by Futebol Card, an online ticketing company that also provides member and loyalty program management systems to a number of major soccer clubs. Personal data belonging to supporters of a number of Brazilian organizations was involved in the incident, but the vast majority of the individuals exposed are fans of São Paulo-based soccer team Palmeiras, one of the country’s most popular and successful Brazilian clubs, with around 18 million supporters nationwide.
For anyone wondering “where do I start with cybersecurity,” this story of yet another unprotected cloud storage bucket is a cautionary tale. A very simple first step would be to make a policy that requires authentication for any Internet-facing systems. Enforcing this policy would have prevented the Futebol Card leak. Incremental changes to this policy would allow you to drive down your risk in easy-to-digest steps, such as requiring strong passwords, managing secure storage for the passwords themselves, and ensuring encryption of data at rest and data in motion. Cybersecurity doesn’t have to be overly complicated. Relatively simple steps can result in a big reduction in risk for your organisation. The key point is to consider security in all things from the very beginning, so that you do a small amount of work in the short term to avoid wrestling with calamity in the long term.
Cloud storage solutions are convenient and cost effective, but are increasingly in the news for being misconfigured. It’s vital to remember that every implementation of Amazon cloud services need to be handled by experts who understand how to configure S3 buckets securely. This is especially true when personal details, willingly shared by supporters, and other pieces of sensitive data like contactless payments are being handled. In these scenarios, organisations must follow certain procedures, policies, and regulations like LGDP. With LGDP now effective law in Brazil, the fines could extend to 50 million real – and that’s in addition to the reputational damage within the market. If businesses do not take action to implement data access and audit protocols in public cloud storage resources, and ensure that those involved with data management are well-trained on both security principles but also threat identification, data leakage issues such as this could become very real for any organisation.