Centre for Internet & Society

The IT security researchers at Kromtech Security Center discovered a trove of personal and sensitive data belonging to around 15,000 to 20,000 Indian applicants participating in cricket seasons 2015-2018.

The blog post was published on Hack Read on May 15, 2018.

The authority responsible for protecting this data was The Board of Control for Cricket in India (BCCI) but it was left exposed to the public in two misconfigured AWS (Amazon Web Service) S3 cloud storage buckets.

According to the analysis from Kromtech researchers, the data was divided into different categories of players including those under 19 years old. The data was accessible to anyone with an Internet connection and basic knowledge of using AWS cloud storage.

The data was discovered earlier this month and included names, date of birth, place of birth, permanent addresses, email IDs, proficiency details, medical records, birth certificate number, passport number, SSC certificate number, PAN card number, mobile number, landline and phone number of the person who can be contacted in case of emergency.

Indian Cricket Board Exposes Personal Data of Thousands of Players

Screenshot of one of the files that were exposed (Image credit: Kromtech)

At the time of publishing this article, the BCCI was informed by Kromtech researchers and both misconfigured buckets were secured. However, this is not the first time when such sensitive information was leaked online. In 2017, Bangalore-based Centre for Internet and Society (CIS) found that names, addresses, date of birth, PAN card details, Aadhaar card numbers and other relevant details of millions of Indian citizen could be found with just a simple Google search.

On the other hand, lately, AWS buckets have been making headlines for the wrong reasons. Until now, there have been tons of cases in which misconfigured AWS buckets have been found carrying highly sensitive and confidential data such as classified NSA documents or details about US Military’s social media spying campaign.

In two such cases, malicious hackers were able to compromise AWS buckets belonging to Tesla Motors and LA Times to secretly mine cryptocurrency. Therefore, if you are an AWS user make sure your cloud server is properly secured.