An unsecured Microsoft Azure storage bucket owned by CEV, the European Volleyball Confederation, was recently found leaking the photos and identity documents of hundreds of European volleyball players and sports journalists.
The unsecured Azure storage blob was first discovered by security researcher Bob Diachenko in November last year who confirmed that the identity documents in the bucket belonged to prominent journalists and media representatives who had submitted their documents as part of an accreditation process run by CEV (Confédération Européenne de Volleyball).
Upon accessing the exposed Azure storage blob on accreditationstorage.blob.core.windows.net/backup/, Bleeping Computer verified that the hundreds of photos in the bucket belonged to volleyball players and journalists. It also found a backup directory that contained scans of personal documents like driver licenses, passports, and other identity documents of volleyball players and sports journalists.
The journalists, whose identity documents were stored in the storage blob, had submitted these to CEV to receive accreditation for covering volleyball tournaments and other sporting events. All the affected volleyball players were also found to be associated either with CEV or with a volleyball federation recognised by CEV.
Bleeping Computer made repeated attempts to contact CEV using various means to disclose the massive data exposure, but failed to receive a response until early February, except for an acknowledgment mail from CEV’s legal team in early December which was quickly recalled.
It was only on 29th January that public access to the unsecured Azure storage bucket was restricted by CEV, more than two months after it was first discovered by Diachenko. Soon after, a representative from the federation sent an acknowledgment to Bleeping Computer.
“Thanks for your email and for reporting us this security issue. Indeed, the server is now secure, and we are working internally and with our processor to improve on the security of personal data in all the tools we use, and to improve our response plan in case of security incidents,” the representative said.
Speaking to TEISS, Trevor Morgan, product manager at data-security specialists comforte AG, said that the massive exposure of personal records by CEV shows yet again that organisations need to perform the necessary due diligence to configure and secure every piece of data within their cloud-based infrastructure.
“Basic security measures and configurations for cloud services aren’t enough to protect sensitive PII in the cloud. Every business needs to look to these examples of leaks and breaches and then decide whether to take their security posture to the next level, thereby avoiding a similar fate.
“Adopting a data-centric security approach that protects the data at rest, in motion, or even in use is an ideal first step. Data-centric protection methods like tokenization and format-preserving encryption obfuscate the sensitive meaning in data, so even if a properly configured system is compromised and data actually falls into the wrong hands, sensitive information still remains protected.
“Threat actors can’t get to the meaning within the tokenized or encrypted data, so they cannot leverage or sell the data. These incidents are a wake-up call for complacent organisations who rely on cloud-based services but who have yet to put serious thought into protecting against leaks and breaches,” he added.