Football Australia reveals data breach

Participants' private information has reportedly been exposed after a data breach at Football Australia.

The weakness in the governing body’s online security exposed a range of data - including players' personal details, contracts, and passports, as well as additional data about ticket purchase information, and detailed source code and scripts of Football Australia's digital infrastructure – to being leaked online.

According to independent cybersecurity research publication Cybernews, the Football Australia accidentally left plain-text digital ‘keys’, including ‘secret keys’, lingering in the publicly-accessible code of its sub-domain, meaning anybody could access it if they knew where to look.

These keys are understood to have supposedly provided the publication's researchers with access to 127 digital storage containers which contain data and private details from grassroots participants all the way through to national team players.

Cybernews say they contacted Football Australia about the data breach, and that the governing body fixed the issue before the researchers published their story.

They claim the most likely reason behind the data breach was human error, "as a developer likely inadvertently left a reference hidden in a script accessible to the public. Nevertheless, the mistake represents a critical data exposure incident".

On Wednesday afternoon, FA's centralised registration platform PlayFootball was taken offline for a few hours, returning "504 Error" messages when people tried to register for upcoming competitions. The platform went back online later that evening.

In a statement on Thursday, Football Australia said it was "aware of reports of a possible data breach and is investigating the matter as a priority.

"Football Australia takes the security of all its stakeholders seriously.

"We will keep our stakeholders updated as we establish more details."

Following reports on 7 News Sydney today (Saturday 3rd February), Football Australia released a further statement, correcting what it called “misreporting” on the matter.

The Football Australia statement advised that the 7 News Sydney “report contains several inaccuracies and was highly speculative, despite Football Australia providing the relevant facts to the reporter.

“Although we are aware of the inadvertent exposure of certain credentials on Football Australia's FIFA Connect System, it's crucial to clarify the nature of the inadvertent exposure. Contrary to the claims in the 7 News report, the exposed credentials did not provide access to information such as international player contracts, domestic participation registration data, or competition details.

“We emphasise that the suggestion that community registration platforms were at risk is misleading, as is the linking of betting and match manipulation. In any case, Football Australia acted swiftly and remedied that exposure within hours of becoming aware.”

FIFA Connect is an initiative by FIFA to assist member associations in systematically registering all stakeholders, including players, coaches and referees.