WWE Leaks Information on 3 Million Fans

On July 4th World Wrestling Entertainment Incorporated notified fans of a data leak of consumer information.

Report filed by: Christopher Kolezynski
Cyber Law Student

Cleveland-Marshall College of Law

 

On July 4th World Wrestling Entertainment Incorporated notified fans of a data leak of consumer information. Security researcher Bob Dyachenko, an employee of Kromtech Security Research Center, identified the vulnerable database and notified the WWE.

The database contained personal information on approximately three million fans. While none of this data was credit card information the data was used for marketing purposes and “included names, both home and email addresses, earnings, ethnicity, children’s age ranges, birthdates and additional personally identifiable information”, according to the WWE.

The unsecured Amazon Web Services S3 server contained this WWE consumer information in plain text viewable by anyone who knew the web address. The data resided in two buckets. 12 percent of the information in the first bucket was set to public access with no username or password needed to view it.

A second bucket of data was discovered through a public access configuration file in the first bucket. The public access configuration file pointed to this related WWE bucket which contained similar personal identifiable information on consumers and fans. Unsurprisingly, around 12 percent of the second bucket was also set to public access.  The information in the second database consisted of information on European fans and included “addresses, telephone numbers and names”, according to Forbes and Dyachenko.

The publicly accessible data consisted of marketing data on fans and consumers. This data included spreadsheets tracking the company’s social media accounts broken down by country which could be utilized for targeted advertising. The database also contained saved Twitter posts organized by keywords relating to the company. The WWE does not state how it uses such information but does state in its privacy policy that it shares information with anonymous partners.

Information on ethnicity, addresses, and child age ranges caught the attention of privacy advocates. According to Forbes, “[a]mongst the categories within the ethnicity bracket were [C]aucasian, African American, American Indian, Hispanic and Asian, while options for children’s age ranges were under 13, over 13, both or none.”

Joseph Hall of the Center for Democracy and Technology expressed his concerns stating “[a]ddresses with [the] number and ages of children makes me nervous.”

In the Forbes report on the leak, Hall also went on to note a past incident involving Facebook and the use of ethnic information for targeted advertising. In response to public attention, Facebook stopped allowing advertisers to use this ethnic information for “housing, employment, or credit” advertisements.

Hall stated “it’s unfortunate Amazon doesn’t have a ‘neighborhood patrol’ of sorts for S3 that checks for open buckets with sensitive data – jiggling the locks, checking for apparent misconfigurations – and then takes them offline.” Amazon has suffered multiple leaks recently related to AWS servers including a leak of information on 198 million voters in June. It seems such a proactive measure could be beneficial.

The vulnerabilities have been addressed by WWE. At this time it is unknown whether malicious actors obtained access to the information.

According to MacKeeper Security Research Center, “no information on the wrestlers or staff was accessible.”  WWE’s stock value is also allegedly unaffected by the breach, according to prowrestling.net.

Kromtech pointed to “either WWE or an IT solution provider for misconfiguring the Amazon S3 database hosting the data.”

You must be logged in to post a comment Login