On June 16th, our researchers came across two misconfigured, meaning publicly exposed, Google Cloud Storage buckets. Both combined, they contained over 1.1 million files. Among them were hundreds of passports, government-issued IDs, and drivers’ licenses belonging to FIA World Endurance Championship (FIA WEC) drivers.
Introduced in 2012, FIA WEC features eight endurance races across the world, including its cornerstone stage – 24 hours at Le Mans. Hundreds of drivers and top car brands, including Cadillac, Ferrari, and Porsche, are competing in the prestigious race with three stages left to complete.
FIA WEC data leak
The Cybernews research team discovered two publicly exposed storage buckets containing 1.1 million files. Public exposure of such databases means that anyone could easily access sensitive data and abuse it. Namely, the leaked data included:
The exposed documents belong to elite racers of the endurance championship. Many are longtime participants in the race, with some having even won various stages of the competition. In an abundance of caution, we’re choosing not to disclose their identities.
The exposed storage buckets belong to the fiawec (.) com website, managed by Le Mans Endurance management.
Following the correspondence with Cybernews, the exposed datasets were secured and are not leaking data at the time of writing. However, an incident where personal data is disclosed without authorisation is a violation of the General Data Protection Regulation (GDPR).
Cybernews has reached out to both the company and local data protection authority (CNIL in France) for an official comment. CNIL said it had “not received any complaints or reports about this case,” and we’ve yet to receive a response from the company.
What can thieves do with passports?
Whether it’s a physical document or just a digital copy, one’s passport or driver’s license is of great value to a thief.
With such a trove of personal information, a criminal could impersonate victims, essentially stealing their identities and running wild with them.
“They may engage in fraudulent activities, create bank accounts, apply for loans. Furthermore, cybercriminals may attempt to acquire unauthorized access to bank accounts or credit cards and use stolen identities to conduct fraudulent transactions, resulting in financial loss and harm to victims’ credit scores.
Criminals might also exploit the information to craft highly personalized and targeted attacks against the drivers whose information was exposed in the leak.
If you want to know which are recommendations for Le Mans Endurance Management provided by CyberNews read the original post at: https://cybernews.com/security/fiawec-data-leak/
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FIA World Endurance Championship)