Rugby Union investigates 70,000-member data leak

Leaky S3 bucket has since been plugged

Rugby Union investigates 70,000-member data leak

The Welsh Rugby Union (WRU) has launched an investigation after a data breach allegedly exposed nearly 70,000 members' personal information.

The leak, reported by Cybernews last week, raises concerns about potential phishing attacks, identity theft and even physical harm.

The exposed data was stored on a publicly accessible AWS S3 bucket, containing a trove of sensitive information.

The data in the bucket included full names, dates of birth, phone numbers, home addresses, email addresses, membership purchase details and even the type of membership purchased.

Cybercriminals could use this information to launch bespoke social engineering attacks against WRU members.

Armed with the leaked data, the attackers could pose as legitimate entities, such as the WRU itself, in emails, phone calls or text messages to steal more information, like banking details, or trick people into downloading malware.

The exposed data also presents a risk of doxxing (the malicious online publication of private information). Malicious actors could exploit this information for theft, burglary or physical harm.

In a statement on its website, WRU said it was conducting a "robust and full investigation" into the breach, including "complying with relevant reporting requirements to the ICO."

"We believe they relate to one of our service provider's systems and we are working closely with the provider, which is also implementing its own in-depth inquiry," it said.

"All of this data has since been removed from the online source and it has already been established that no password or payment information has been compromised."

"No other vulnerabilities or suspicious activities have been found in WRU systems after a thorough review of all systems and processes."

The WRU has yet to confirm the exact number of affected members, claiming some duplication exists within the 70,000 figure reported. The organisation hasn't shared the specific third-party provider involved or how the security breach occurred.

The WRU is urging all affected members to be vigilant against suspicious emails, phone calls or messages.

The breach highlights the vulnerability of sports organisations, which often hold valuable data on players, fans and ticket purchasers.

In January it was found that Football Australia exposed a vast amount of data, including sensitive information about ticket buyers and players, through AWS buckets.

Similarly, information belonging to the French Football Federation (FFF) leaked online in March.