BCCI exposed players' personal sensitive data
Earlier this month Kromtech Security Center researchers came across another trove of sensitive information which was stored without proper security settings.
The Board of Control for Cricket in India (BCCI) exposed personal sensitive data of several thousands Indian applicants in cricket seasons 2015-2018. We estimate the total number of affected people to be around 15-20 thousands.
The Board of Control for Cricket in India (BCCI) is the national governing body for cricket in india.
Scanned documents such as player registration forms with IDs, voter and bank documents were stored on two misconfigured S3 buckets and could be accessed from anywhere in the world. Information was carefully sorted and included different categories of players, including those under 19 years old.
Registration forms appeared to contain a vast amount of personal information, including relatives of the applicant:
Repositories were quickly secured after Kromtech researchers contacted BCCI via local representatives and informed the police.
At time of publication we did not receive official comments from BCCI.
IG Maharashtra Cyber police are informing BBCI and asking them to take necessary corrective action. Also I thank Kromtech for bringing it to our notice.
Kromtech Tools and Services
In October 2017 the Kromtech Security Center released a free scan tool that helps identify and secure publicly accessible Amazon S3 Buckets within an organization's network. We have also published an in-depth guide explaining how to secure Amazon S3 buckets for better data security.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org