FIFA customer details sold on "black market" by insider
|
Date Reported:
9/10/10
Organization:
Fédération Internationale de Football Association (FIFA)
Contractor/Consultant/Branch:
MATCH Services
MATCH Hospitality AG
Location:
Undisclosed
Victims:
Football (soccer) fans who attended the 2006 World Cup in Germany
Number Affected:
"more than 350,000"
Types of Data:
Personal information including "full name, date of birth and passport number".
Breach Description:
"A Norwegian website has claimed that it is in possession of the personal data of more than 250,000 football fans which were sold on the black market by an employee in the FIFA system."
Reference URL:
Dagbladet
SC Magazine
Computer Weekly
Dark Reading
Report Credit:
Espen Sandli and Torgeir P. Krokfjord, Dagbladet
Response:
From the online sources cited above:
Dagbladet can reveal that confidential lists with personal data concerning at least 250,000 ticket holders has been sold on the black market — by a trusted employee in the FIFA system.
[Evan] According to the reports, the information belongs to people who attended the 2006 FIFA World Cup. It appears as though there are currently no 2010 FIFA World Cup attendees affected by this breach.
The lists Dagbladet is in possession of contain the full name, date of birth and passport number of the unknowing ticket buyers — as well as detailed information about which games they had tickets to, and where they were seated.
[Evan] I'm curious to know how Dagbladet came into the possession of this information. Did they buy it? What do they plan to do with it now that they have disclosed that they have it?
Last week Dagbladet broke the news that 60,000 names were leaked and sold.
Today the newspaper can reveal that the total number has increased to 350,000 entries in the lists. 250,000 of these with full names and sensitive identity-information.
Dagbladet has read several e-mails in which an employee in Match Hospitality, FIFA's official ticket provider, offers tickets lists for sale to a major player on the black market.
[Evan] Man, that's bold! The seller allegedly shares the fact that he/she is an employee of Match. Either the seller is not thinking clearly, or he/she has not fear of repercussions.
Dagbladet has confirmed the seller's identity.
According to Rob Rachwald, the interesting hook to this story is that the customer data in question came from the Germany event four years ago and not the South African World Cup last summer.
He says the event is indicative of a number of failures, including carelessness with older databases and unused data, a failure to think beyond the conclusion of the event, and a failure to have a full data security protection and destruction strategy.
[Evan] Amen, among other things.
"At the end of the '06 World Cup, a data destruction process should have been performed, and it clearly didn't occur to anyone [with FIFA or its IT firm]," Rachwald says. "[A good strategy should] identify what you have, attach risk and design a protection and destruction program."
[Evan] Amen, among other things.
The firm in charge of ticketing and ticketing data at the South African World Cup, Match, a subsidiary of U.K.-based Byrom, was not in charge of ticketing for Germany's World Cup.
It did confirm that it was its own employee who appeared to be responsible for the data's dissemination.
However, it categorically denied that the data came from its own database.
"We have studied the contents of this database and we can categorically say that we have never had access to this information in any form. It is not our database," a spokesperson told the Daily Mail earlier this week. "Ticketing arrangements at the German World Cup, unlike other tournaments, were not undertaken by our firm."
Rachwald, for one, wonders whether the ticketing agency might not even be aware that somewhere in the recesses of its systems it really does have a database containing the data, received in support of its role in the South Africa World Cup this year.
He says that many enterprises have a hard time keeping track of sensitive information such as this and that whomever was responsible for retaining such data could be culpable under EU law, which mandates that old data such as this should be destroyed.
"Organizations need to think beyond just the commercial need to store and process data," he says. "In this case, they should have realized that the passport numbers they had was like sitting on cash -- especially since passport numbers have a long half life. They are around for a while before they expire."
Regardless of which organization is to blame for retaining the old information, the incident serves as another key reminder of the threats that rogue employees can introduce to data if not properly monitored.
"Databases are the primary targets for cybercriminals because stolen personal data is incredibly valuable and easily sold, and databases have a much higher concentration of sensitive data than other data sources, such as email," says Phil Neray "Unfortunately, this type of insider crime is severe and widespread."
[Evan] So much more widespread than most people realize! It would be nice to wake someday and poof! People suddenly recognize the value and risks associated with the data they use.
The Information Commissioner's Office (ICO) is investigating allegations that the personal details were sold on the black market by an official linked to FIFA.
This case calls into question the internal security practices in FIFA, whose IT managers should know better, said Amichai Shulman. "It confirms something we've been saying for some time, namely that most organisations defend their digital assets against external attack, but they ignore the internal threat at their peril," he said.
"The employees did not hack into the database; it was an internal attack where they abused normal functionality and privileges granted to them," he said.
"This was probably a case of over-privileged users as these low-level employees probably should not have been granted access to that data in the first place."
In the lists Dagbladet have seen there are information about 350 000 ticket holders.
Some 250 000 of those are listed with their full name and personal information.
They are as follows:
• Sweden: 48.781, except for sponsors and teamtickets, all are listed by name.
• England: 35.689, most by name.
• USA: 19.702, most by name.
• Switzerland: 35.723, most by name.
• Portugal: 41.385, not listed by name.
• Poland: 30.664, many by name.
• The Netherlands: 36.290, most by name.
• Italy: 35.228, some listed by name.
• Germany: 651 - all reserved for the national team for each game.
• France: 32.411, not listed by name.
• Spain: 26.468, most by name.
• Croatia: 32.716, most by name.
This is only the amount of names in lists Dagbladet have in possession. There are more lists on the market.
[Evan] Again, what does Dagbladet intend to do with this information now?
Commentary:
It is sad that neither FIFA nor Match appear to have made public announcements regarding this breach, even if only to say that they are investigating and determining next steps (or something similar). I am also concerned about other data in the possession of FIFA/Match.
Past Breaches:
Unknown
Posts Atom 1.0
Comments