Misconfigured WBSC server leaks thousands of passports
September 29, 2023
The World Baseball Softball Confederation (WBSC) left open a data repository exposing nearly 50,000 files, some of which were highly sensitive, the Cybernews research team has discovered.
On June 5th, our researchers discovered a misconfigured Amazon Web Services (AWS) bucket storing nearly 48,000 files.
A bucket is a container for storing data within AWS’s cloud storage system. The misconfiguration exposed the repository’s contents.
According to our team, the exposed files belonged to the WBSC, the world governing body for baseball, softball, and Baseball5 – a recently introduced sport combining the previous two.
The WBSC, headquartered in Switzerland, was established in 2013 and currently has 141 countries as members located in Asia, Africa, the Americas, Europe, and Oceania.
Worryingly, among the contents of the misconfigured AWS bucket, which the WBSC closed after being contacted by the team, were copies of 4,600 national passports.
We have reached out to the WBSC for further comment but did not receive a response before publishing this article.
“Since passports contain a significant amount of personal information, including full names, date of birth, and a unique passport number, cyber criminals could use them to impersonate victims and steal their identities.”the team said.
What are the risks of exposing passport data?
Government-issued documents are arguably the most important form of identification a person holds. According to the team, having passport data exposed puts individuals at risk of identity theft.
“Since passports contain a significant amount of personal information, including full names, date of birth, and a unique passport number, cyber criminals could use them to impersonate victims and steal their identities,” the team said.
Malicious actors can use stolen information to engage in fraudulent activities like opening bank accounts, applying for loans, and executing other types of fraud.
Cybercrooks can also use stolen IDs to create counterfeit passports for traveling purposes. Stolen details can be sold on dark web forums, which later are sold to third parties that develop fake documents.
“Direct financial loss is also a possible risk. Identity thieves may attempt to gain unauthorized access to bank accounts or credit cards and use stolen identity to make fraudulent transactions,” the team said.
Another risk people whose passports were exposed have to deal with is spear phishing attacks. Criminals with access to target IDs can combine it with publicly available information to devise convincing social engineering attacks.
That way, cybercriminals can coax victims into providing further information or manipulate them into taking specific actions.
What should the WBSC do?
Take a look at the report published by Cybernews:
https://cybernews.com/security/wbsc-data-leak-passports/
About the author: Vilius Petkauskas, Deputy Editor @Cybernews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, WBSC)