News: 1728569650

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Fore-get about privacy, golf tech biz leaves 32M data records on the fairway

(2024/10/10)


Nearly 32 million records belonging to users of tech from Trackman were left exposed to the internet, sitting in a non-password protected database, for an undetermined amount of time, according to researcher Jeremiah Fowler.

Trackman is a technology company that uses Doppler radar to analyze golf swings and shots. The PGA Tour, pro golfers, and amateurs use its products. In addition to the thousands of professionals, and 10,000-plus coaches and club-fitters, the company [1]claims 90 of the world's top 100 players use Trackman tech, along with manufacturers including Bridgestone and Callaway, and major broadcasting companies like Golf Channel, ESPN, BBC, NHK, and CNN World.

While it's very good at tracking golf balls at major tournaments and the Olympics, it appears that protecting users' data may be trickier – leaving their data online in this way puts users at risk of device hacking, social engineering and phishing attacks, as well as other digital crimes.

[2]

Fowler spotted and reported the open Microsoft Azure Blob database in early August, and said it contained 31,602,260 records that shared users' names and email addresses, along with device info, IP addresses, and security tokens. In total, 110 TB of sensitive information was there for the taking by any digital crooks, we're told.

[3]

[4]

While Trackman sealed off the database very quickly after Fowler reported it to them, he says he never received a reply.

"It appears they never notified device owners/users or made the notification public that there was a data exposure," Fowler told The Register . "I didn't see anything posted online or in a Google search regarding a data exposure. Unfortunately that's a pretty common response – to give no response."

[5]

The Register also contacted Trackman and did not receive any response to questions including how long the database was left unlocked, or if the company received any reports of malicious activity.

In a report published today, Fowler noted that some of the records stored in Azure Blob appeared to contain sensitive info belonging to professional golfers. One (redacted) screenshot contains the name, email address, and operating system details of one such pro user, along with log files displaying the Wi-Fi connection used by the device, plus API, IP addresses, and security token.

"Any data exposure that contains names and emails could potentially be used to target those individuals for spam, malware distribution, spear phishing attempts or social engineering campaigns," Fowler [6]wrote , noting that pro athletes also represent "higher-value targets" to criminals.

[7]

While the infosec pro said he doesn't have any insight into whether the exposed data was used for nefarious purposes, it wouldn't take much technical expertise for a low-level criminal to use the info in a phishing or social engineering campaign intended to steal additional personal information or payment details.

"The fact that now anyone has access to AI tools like ChatGPT they can create realistic content that is less likely to raise suspicions," Fowler told The Register .

Plus, considering the number of records exposed, would-be criminals "have a massive list of users to work from," he added.

[8]31.5M invoices, contracts, patient consent forms, and more exposed to the internet

[9]Thousands of orgs at risk of knowledge base data leaks via ServiceNow misconfigurations

[10]National Public Data files for bankruptcy, admits 'hundreds of millions' potentially affected

[11]Marriott settles for a piddly $52M after series of breaches affecting millions

"For example, criminals could clone a login page and email users to update their password (new and current) or prompt them to update their payment information," Fowler said. "This would be a very easy and effective method to potentially gain access to their accounts and obtain their payment information. The users would have no reason to doubt this was a legitimate request until it's too late."

That's on the low-tech side of things. A more sophisticated attacker could also hack users' devices to deploy malware, intercept Wi-Fi data, or even build a botnet using Trackman devices.

"This would be a scenario where top-level hackers or nation state actors could potentially have access to a complete network of internet-connected devices that could be used for malicious purposes such as a botnet used to launch distributed denial-of-service attacks, steal data, send spam, distribute malware and more, all without the device owner knowing," Fowler said, in what he told us would be a "hypothetical worst-case scenario of how top-tier cybercriminals pose the biggest risk."

Again, we have no evidence to suggest that the firm's devices have been used in a botnet attack – or for any other criminal activity. But if you are one of the company's customers, it's a good idea to keep an eye out for anything suspicious. And in general, use strong passwords, not the 1-2-3-4 variety. ®

Get our [12]Tech Resources



[1] https://www.trackman.com/references

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zwf6KdJudNbAEDmQc2zBhQAAABQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwf6KdJudNbAEDmQc2zBhQAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwf6KdJudNbAEDmQc2zBhQAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwf6KdJudNbAEDmQc2zBhQAAABQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.websiteplanet.com/news/trackman-breach-report/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwf6KdJudNbAEDmQc2zBhQAAABQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/08/26/31m_invoices_business_files_exposed/

[9] https://www.theregister.com/2024/09/19/servicenow_knowledge_base_leaks/

[10] https://www.theregister.com/2024/10/09/national_public_data_bankrupt/

[11] https://www.theregister.com/2024/10/09/marriott_settlements_data_breaches/

[12] https://whitepapers.theregister.com/



Korev

So a security hole in one?

MiguelC

Nicely putt!

Korev

Join the club!

IanRS

A complete balls-up, leaving their users tee'd off.

Data custodians + access key

Anonymous Coward

That's why most companies should be forbidden to collect or store personal identification data.

Instead everyone should choose from a few reliable custodians. For example Apple, Google, etc. Those could also be national bodies, like tax authorities etc. But all must use a common standard to help compete and enable changing a custodian. A large data leak should make the custodian lose the data holding license. Governments should pay custodians for the service.

Other companies should only have unique person's number, generated for a specific contract/service. And a key to access necessary data from custodians ONLY for specific transactions. The person should be messaged on each access. Data should never be shared with 3rd parties. Instead they will get keys as anyone else.

Blockchain can be used to keep the data consistent: people do not change addresses, emails or phone numbers often. This will also protect from identity theft or reveal scammers. Users or custodians should not be able to modify or delete the data, unless for specific policy/reasons.

Re: Data custodians + access key

IanRS

No! No! No!

You want to give companies who are already the world's biggest trackers the information about where everybody is going for every site which is personalised enough to require an individual's data? And make it so that when their systems go down, nobody can get into anything at all? If you think they can make it 100% reliable, just consider Office364. And then store everyone's data on a blockchain? The whole point of a blockchain is that it is public so that data and changes to the data on it can be seen by all parties.

Tis man's perdition to be safe, when for the truth he ought to die.