WWE’s unprotected database – affecting over three million fans

Anger amongst WWE wrestling fans is thought to be rife after revelations that up to three million fans’ account information has been left unprotected and accessible on the Amazon cloud.

It’s thought that WWE is watched by 15 million fans each week in the U.S. alone. In 2016, they announced plans to expand to China, opening a potential fan base of 1.4 billion. It’s scary to think that an organisation as big as this and with so many fans could leave data belonging to three million people totally unsecured.

It’s one heck of a monumental data breach…

What was breached?

According to Forbes, Bob Dyachenko from cyber-security firm Kromtech said he discovered a “huge, unprotected WWE database” containing more than three million users’ personal information.

The data trove is thought to include names, home addresses, email addresses, educational backgrounds, earnings, ethnicities, dates of birth, customers’ children age ranges and gender. The data was discovered without username or password protection; i.e. without the most basic of cyber-security protection protocols.

Public access

Mr Dyachenko discovered two open and publicly accessible Amazon S3 Buckets that contained masses of information collected by third party agencies used for WWE marketing purposes. He goes on to say that an estimated 12% of all the information was set to ‘public access’ which means it’s readily available for the general public with internet access.

Anyone accessing the information could also download it.

Two buckets of data found wide-open

Of the two databases, the first Amazon S3 Bucket contained a lot of emails in plain text with data thought to be from 2014 to 2015. The total amount of records is thought to amount to 3,065,805. This figure was checked by researchers for duplication, and the results showed they were unique.

The second Amazon S3 Bucket showed that around 12% – 15% of the data was partially set for public access. It contained a huge amount of marketing and customer data, including billing data, usernames and addresses. This database also contained information on hundreds of thousands European customers who had shopped at the online store from 2016.

There were also spreadsheets of WWE fans’ marketing preferences. This included social media tracking of the WWE social media accounts like YouTube, with weekly total of plays, likes, shares, comments and how to gauge fan interactions. This spreadsheet was broken down into countries, most likely for targeted marketing purposes.

Databases secured after a couple of hours

According to Mr Dyanchenko, the databases were secured within a couple of hours on 4^th July 2017 after Kromtech security sent notification messages to WWE Corporation developers. However, no one knows how long the data was exposed for and how many people have accessed the database.

A WWE spokesperson said they were working with “a leading cybersecurity firm” to find the cause of the leak.

Many of WWE’s folders were protected, prohibiting public access to employee and wrestler information. It begs the question as to why WWE’s fans’ information wasn’t sufficiently protected in the same way employees and wrestlers were.

The U.K.’s privacy watchdog, the Information Commissioner’s Office (ICO), may look into the breach.

Is “military-grade” cyber-security required to combat data breaches?

Google employees fall victim to data breach