Report filed by: Christopher Kolezynski
Cyber Law Student
Cleveland-Marshall College of Law
On July 4th World Wrestling Entertainment Incorporated notified fans of a data leak of consumer information. Security researcher Bob Dyachenko, an employee of Kromtech Security Research Center, identified the vulnerable database and notified the WWE.
The database contained personal information on approximately three million fans. While none of this data was credit card information the data was used for marketing purposes and “included names, both home and email addresses, earnings, ethnicity, children’s age ranges, birthdates and additional personally identifiable information”, according to the WWE.
The unsecured Amazon Web Services S3 server contained this WWE consumer information in plain text viewable by anyone who knew the web address. The data resided in two buckets. 12 percent of the information in the first bucket was set to public access with no username or password needed to view it.
A second bucket of data was discovered through a public access configuration file in the first bucket. The public access configuration file pointed to this related WWE bucket which contained similar personal identifiable information on consumers and fans. Unsurprisingly, around 12 percent of the second bucket was also set to public access. The information in the second database consisted of information on European fans and included “addresses, telephone numbers and names”, according to Forbes and Dyachenko.
Information on ethnicity, addresses, and child age ranges caught the attention of privacy advocates. According to Forbes, “[a]mongst the categories within the ethnicity bracket were [C]aucasian, African American, American Indian, Hispanic and Asian, while options for children’s age ranges were under 13, over 13, both or none.”
Joseph Hall of the Center for Democracy and Technology expressed his concerns stating “[a]ddresses with [the] number and ages of children makes me nervous.”
In the Forbes report on the leak, Hall also went on to note a past incident involving Facebook and the use of ethnic information for targeted advertising. In response to public attention, Facebook stopped allowing advertisers to use this ethnic information for “housing, employment, or credit” advertisements.
Hall stated “it’s unfortunate Amazon doesn’t have a ‘neighborhood patrol’ of sorts for S3 that checks for open buckets with sensitive data – jiggling the locks, checking for apparent misconfigurations – and then takes them offline.” Amazon has suffered multiple leaks recently related to AWS servers including a leak of information on 198 million voters in June. It seems such a proactive measure could be beneficial.
The vulnerabilities have been addressed by WWE. At this time it is unknown whether malicious actors obtained access to the information.
According to MacKeeper Security Research Center, “no information on the wrestlers or staff was accessible.” WWE’s stock value is also allegedly unaffected by the breach, according to prowrestling.net.
Kromtech pointed to “either WWE or an IT solution provider for misconfiguring the Amazon S3 database hosting the data.”