News

Lax internal security blamed for FIFA data leaks

Lax internal security at world football governing body FIFA is likely to blame for an alleged leak of the details of thousands of England fans, says security firm Imperva.

The Information Commissioner's Office (ICO) is investigating allegations that the personal details were sold on the black market by an official linked to FIFA.

The information relates to fans who bought tickets for the 2006 FIFA World Cup in Germany, the ICO said in a statement.

"Our initial enquiries suggest the information in question consists of the name, date of birth and passport number of approximately 7,200 individuals," the ICO said.

The investigation was prompted by claims in a Norwegian newspaper that the details of 250,000 fans, who watched games at the 2006 tournament, had been sold to ticket touts ahead of this summer's tournament in South Africa, according to the Guardian.

This case calls into question the internal security practices in FIFA, whose IT managers should know better, said Amichai Shulman, Imperva's chief technology officer.

"It confirms something we've been saying for some time, namely that most organisations defend their digital assets against external attack, but they ignore the internal threat at their peril," he said.

According to Shulman, this serious breach of trust could have been avoided if FIFA had monitored and secured the access to football fans personal data by their staff, as well as the association's files and databases.

"The employees did not hack into the database; it was an internal attack where they abused normal functionality and privileges granted to them," he said.

"This was probably a case of over-privileged users as these low-level employees probably should not have been granted access to that data in the first place."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy