English Premier League football club, West Ham, has suffered an accidental data breach with personal information of supporters leaked via the clubs official website. Having first been reported by Forbes, error messages were being displayed on the West Ham’s website before showcasing the profile information of supporters to other fans who were attempting to log into their accounts. The data leak resulted in key fan information being left exposed and included names, dates of birth, telephone numbers, addresses and email addresses.
The error messages were linked to the clubs online ticketing service with numerous error messages being displayed including an admin message saying, “Drupal already installed”. When an individual attempted to enter their own login details, they would then be shown another West Ham fans information. This breach of information had many fans puzzled who took to the clubs official fans forum site KUMB to vent their frustration.
The Hammers, which currently sit in the top half of the premier league, issued a statement to fans via email, confirming the problem had been swiftly resolved while apologising to those affected. We are aware there was a technical issue when signing into online accounts this morning. We worked with our third-party service provider and they have already resolved this issue.”
Providing insight and commentary are the following cybersecurity experts:
Amit Sharma, Security Engineer at Synopsys Software Integrity Group
After all, ensuring the confidentiality and integrity of data is vital to protect personal data from exposure.
Vulnerabilities leading to an error screen, leaked data, or supplying details from other system users may be a result of commonly occurring vulnerabilities in the application security domain. A well-known list of common issues can be found in the OWASP Top 10 list. Every application that moves into production should at least be checked for OWASP Top 10 issues as a baseline to avoid and/or mitigate the most common vulnerabilities. These are also crucial for organizations to ensure GDPR compliance. After all, ensuring the confidentiality and integrity of data is vital to protect personal data from exposure.
Javvad Malik, Security Awareness Advocate at KnowBe4
The leak at West Ham Utd is likely down to an internal error or misconfiguration, which is an easy enough error to make.
All organisations of all sizes and in all verticals need to foster a culture of cyber security so that all aspects of security and design are taken into account. The leak at West Ham Utd is likely down to an internal error or misconfiguration, which is an easy enough error to make. This is why it’s important to have in place the proper security controls, particularly where customer data is concerned so that there can be assurance that the data is being handled correctly.
Jonathan Knudsen, Senior Security Strategist, Synopsys
Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys.
Football fans will remember that in July 2020, the theft of nearly £1m from a Premier League football club was narrowly avoided. Before that, in February 2020, a misconfigured application leaked information from the Brazilian ticketing company Futebol Card. The latest news about West Ham is hardly surprising. We will only see these headlines go away when all software deployments are done with security in mind. When organization of all types have a security-first mindset, we will no longer read sad stories about open databases or misconfigured applications. Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys. Affected West Ham fans should be aware that their personal information might be available to bad people, and be skeptical of unsolicited calls and emails containing their information.
Natalie Page, Cyber Threat Intelligence Analyst at Talion
The potential ramifications for West Ham United from this incident could be extremely costly.
The potential ramifications for West Ham United from this incident could be extremely costly. Since the introduction of GDPR, we have seen individual organisations fined as much as £42 million, with an astonishing overall amount of £235 million issued thus far against 533 organisations. For the West Ham United fans potentially affected by this breach, while the club should contact you directly if your details have been exposed, be cautious and act as if your personal details have been breached until notified otherwise. Be alert to incoming texts, calls, and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment. Also consider the password you utilise for this account, if this has been duplicated on other personal accounts, this should be changed promptly.
Stephen Kapp, CTO and Founder at Cortex Insight
The website belonging to West Ham United seems to have suffered from a security issue that put their supporter data at risk.
The website belonging to West Ham United seems to have suffered from a security issue that put their supporter data at risk. To prevent this from happening again, it is important to carry out security and user acceptance testing when websites are going live. To limit damage from the data leak, West Ham United fans who have accounts with the ticket site should start to pay close attention to their emails and watch out for phishing scams. It will be interesting to see how the ICO handles this security misconfiguration because putting sensitive data at risk is one of the biggest concerns within the GDPR.
Nikos Mantas, Incident Response Expert atObrela Security Industries
Supporters are advised to avoid using the site until West Ham United clearly communicates that the problem has been fixed.
The West Ham United site appeared to have been leaking confidential supporter information which could have put their data into the hands of criminals. Supporters are advised to avoid using the site until West Ham United clearly communicates that the problem has been fixed.
Burak Agca, Security Engineer at Lookout
Attacks against football clubs are not new.
Attacks against football clubs are not new. We see the same characteristics in comparison to other data breaches and phishing campaigns. The right atmosphere for social engineering, high net value individuals, and a large net of people to target during an important event. During a transfer window last year, one premier football league manager narrowly escaping the loss of £1 million pounds as attackers targeted specific mail accounts. Ransomware targeting IoT devices nearly caused a match to be postponed, with a demand for 400 bitcoins by the attackers, and we’ve seen botnet DDoS attacks leveraging Android devices.
Mobile devices in the hands of consumers represent a significant gap in security where the user is expected to be fully educated in recognising threats across a variety of attack vectors. It’s a given that a large proportion of BYO devices at a matchday event will have little or no security controls in place, out of date OS, free and third-party apps, and the majority will be connected to free WIFI with the ability to receive texts from the data harvested by the attackers.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy
The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts.
The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts via email, text, and phone calls. Supporters will need to beware of any communications that appear to come from the club, as hackers will seek to extract more information (such as financial information) from the victims of the leak.
David Kennefick, Solutions Architect at Edgescan:
Sports teams around the world, and particularly in the UK, are adapting to being targeted by cybercriminals due to their financial status.
While the instability of the West Ham United website appears to be still ongoing it is likely that an investigation will be initiated in order to see whether personal data has been breached. This may just have been a few small isolated incidents, that impacted a minority of users. However, in case the breach affected a larger pool of users the club will presumably follow the usual protocols, and if there is a personal data breach the Information Commissioner’s Office (ICO) will be informed.
Sports teams around the world, and particularly in the UK, are adapting to being targeted by cybercriminals due to their financial status. During the last few years, www.ncsc.gov.uk has worked to increase the resilience of the sports industry in the UK. Their reports are a useful resource to help understand how sports clubs can better protect themselves from cyberattacks.
Paul Bischoff, privacy advocate at Comparitech.com:
“West Ham fans should be on the lookout for phishing emails from scammers posing as West Ham or a related organization. Scammers might use personal details from the database to reach out to West Ham fans and make their messages more convincing. Given that physical addresses were leaked, West Ham fans could also be at risk of physical harassment and stalking.
Never click on links or attachments in unsolicited emails. Always verify the sender before responding.”