Amazon S3 Bucket Misconfiguration Exposure Indian Cricket players sensitive information

Earlier this month, researchers at the Kromtech Security Center once again discovered two Amazon S3 buckets that were exposed online due to misconfiguration. From the data content, they seem to belong to the Board of Control for Cricket in India (BCCI).

BCCI is the national cricket management agency in India. The researchers said that the two exposed S3 buckets contained a large amount of sensitive data, involving about 15,000 to 20,000 Indians submitting season entry applications to BCCI from 2015 to date.

Files such as player registration forms containing ballot numbers, ballot papers, and bank documents can be found in both S3 buckets and can be accessed from anywhere in the world. Information is carefully categorized, including different categories of players, including young players under the age of 19.

Among them, the player registration form not only contains a lot of personal information about the applicant himself but also contains personal information of some relatives of the applicant, as follows:

• Applicant’s name, date of birth
• place of birth
• permanent address
• email address
• Phone number/fixed phone number
• Emergency contact phone number
• Proficiency
• Medical records
• Birth certificate number / passport number / SSC certificate number / PAN card number and various scans

Researchers at the Kromtech Security Center contacted the BCCI through local representatives and informed the police. The bucket was quickly protected, but BCCI did not make an official comment.

Source: hackread