It has been reported that the website of English Premier League football club West Ham Utd has leaked the personal details of the clubs’ supporters. The club website is showing several error messages including “Drupal already installed”. Experts commented below.
<p>Vulnerabilities leading to an error screen, leaked data, or supplying details from other system users may be a result of commonly occurring vulnerabilities in the application security domain. A well-known list of common issues can be found in the OWASP Top 10 list. Every application that moves into production should at least be checked for OWASP Top 10 issues as a baseline to avoid and/or mitigate the most common vulnerabilities. These are also crucial for organizations to ensure GDPR compliance. After all, ensuring the confidentiality and integrity of data is vital to protect personal data from exposure.</p>
<p>We all trust our digital experiences to be inherently secure. Whether it\’s a football club\’s website or a banking app, we trust the service provider to keep our data safe. Anyone who thinks their data could have been leaked should be particularly careful of mobile phishing attacks in the future that leverage the leaked data.</p>
<p>All organisations of all sizes and in all verticals need to foster a culture of cyber security so that all aspects of security and design are taken into account. The leak at West Ham Utd is likely down to an internal error or misconfiguration, which is an easy enough error to make. This is why it\’s important to have in place the proper security controls, particularly where customer data is concerned so that there can be assurance that the data is being handled correctly.</p>
<p>Football fans will remember that in July 2020, the theft of nearly £1m from a Premier League football club was narrowly avoided. Before that, in February 2020, a misconfigured application leaked information from the Brazilian ticketing company Futebol Card. The latest news about West Ham is hardly surprising. We will only see these headlines go away when all software deployments are done with security in mind. When organization of all types have a security-first mindset, we will no longer read sad stories about open databases or misconfigured applications. Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys. Affected West Ham fans should be aware that their personal information might be available to bad people, and be skeptical of unsolicited calls and emails containing their information.</p>
<p>The potential ramifications for West Ham United from this incident could be extremely costly. Since the introduction of GDPR, we have seen individual organisations fined as much as £42 million, with an astonishing overall amount of £235 million issued thus far against 533 organisations. For the West Ham United fans potentially affected by this breach, while the club should contact you directly if your details have been exposed, be cautious and act as if your personal details have been breached until notified otherwise. Be alert to incoming texts, calls, and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment. Also consider the password you utilise for this account, if this has been duplicated on other personal accounts, this should be changed promptly.</p>