News Hub

Unprotected Azure bucket exposed passports of prominent volleyball players and journalists

Written by Tue 2 Feb 2021

European Volleyball Confederation uploads sensitive credentials to unprotected cloud storage instance

An exposed storage bucket on Microsoft’s cloud made accessible a stockpile of passports and IDs belonging to leading volleyball players and reporters.

The unprotected Azure blob share instance, discovered by an intelligence researcher in November last year, was accessible to anyone who knew where to look.

If they did, they’d have found hundreds of scans of passports, drivers licenses and other identity documents, some belonging to prominent journalists and media representatives who handed them over for authentication and accreditation purposes.

What was the source of the leak? According to Bleeping Computer‘s Investigation, which unearthed its origins, the culprit was the Confédération Européenne de Volleyball (CEV) or European Volleyball Confederation.

Analysis of the URL, first discovered by researcher Bob Diachenko, revealed a treasure trove of identity data that in the wrong hands could have enabled fraud and large scale identity theft and spear-phishing.

Several journalists contacted by Bleeping Computer confirmed the authenticity of the exposed credentials, affirming they were submitted to CEV for press accreditation to major tournaments.

“Indeed I was accredited in some CEV events, most recently in January in Berlin for Olympic volleyball qualification and as far as I remember I had to provide details of my ID in order to get the accreditation card,” Tomas Kohlmann, a Czech Republic-based sports reporter told BleepingComputer.

Alarmingly CEV were painfully slow to respond when the security publication alerted them to the unprotected storage bucket.

Its journalists reached out at the end of November, receiving silent treatment until December 11 when CEV’s legal team confirmed via email it was investigating the issue. That email was recalled five minutes after it was sent.

Over a month later, on January 29, the storage instance was quietly secured and remains inaccessible to the public. CEV remain deathly silent and it’s unclear if any bad actor successfully accessed the files.

The incident will attract fresh scrutiny to lax cloud security practices that have led to numerous cases of sensitive data being exposed on public cloud storage buckets.

Indeed, according to Gartner, 99% of cloud security mishaps will continue to be a result of misconfigurations caused by human error through 2025.

Anurag Kahol, CTO at cybersecurity vendor Bitglass, said the onus was on companies using cloud services to ensure data storage buckets are configured correctly and are properly secured.

“Sensitive and personally identifiable information (PII) should never be accessible by unauthorised parties, as this kind of information can enable identity theft and highly targeted spear-phishing campaigns,” Anurag said.

“Bad actors often leverage tools that detect misconfigurations within IT assets like an unsecured AWS database. To safeguard customer data, organisations must have full visibility and control over their data in order to prevent breaches and leaks,” he added.

Written by Tue 2 Feb 2021


cloud storage
Send us a correction Send us a news tip