World Wrestling Entertainment – the home of America's top costumed pantomime actors – has admitted that it exposed members online for anyone to see.
Kromtech Security Research Center found a database containing information on three million US subscribers to WWE on an unsecured Amazon S3 bucket. The data included addresses, telephone numbers and names of subscribers, plus some information on European customers who had shopped at WWE's online store.
"Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured," WWE said in a statement.
"WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with AWS, Smartronix and Praetorian to ensure the ongoing security of our customer information."
It's unclear if the internet-facing Amazon cloud database was operated by WWE itself or a third-party developer working for the sports entertainment giant, although the statement strongly implies the latter. The organization is just the latest in a long line of companies that have gotten caught out with poor security on AWS.
Security researcher Chris Vickery has made headlines over the past year in scanning for and finding just these databases, and other security firms are getting in on the game. Finding this data is easy if you have the time and the wherewithal to develop simple scripts for scanning – and both security researchers and online criminals know this.
Open the curtain, please...
WWE isn't the only company having a bad start to the weekend. B&B Theater has admitted that it too has suffered a data breach – although one that is more serious than WWE's snafu. After an infection in its payment systems, customers who used their cards to book cinema seats between September 1, 2015 and April 7, 2017 might want to check their statements for unauthorized withdrawals. ®