The data was found on an AWS S3 server with no access controls or security policies.
The personal information of over three million WWE fans may be at risk following a major data leak which was revealed earlier this week.
According to reports by Forbes, an unprotected WWE database containing the information of three million users was left open to anyone knowing the web address to search.
READ MORE: Top 5 worst data breaches to hit the UK
The data base was uncovered by Bob Dyachenko, from security firm Kromtech, who revealed that the data included home and email addresses, birthdays, ages of customers and their children, genders and ethnicities. The data, reportedly stored in plain text, was found on an AWS S3 server with no access controls or security policies.
“This incident serves to highlight the shared responsibility model of the cloud and reinforces the fact that while cloud applications themselves can be secure, it is up to enterprises to use the applications securely,” said Anurag Kahol, CTO at Bitglass
“In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively encrypted the sensitive customer PII, en route to the cloud. This would ensure that even after unauthorised access, the data would have been protected.”
The WWE has been quick to reassure fans that no credit card or password information was included in the data leak, with the professional wrestling giant saying in a statement:
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured.
“WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
The WWE was told about the leak by Dyachenko on July 4th, with the data base in question then moved so that it was no longer accessible.