Newly Discovered World Cup Database Breach Exposed 250,000 Attendees' Details

Hundreds of thousands of attendees at the 2006 World Cup in Germany were put at risk of identity theft, though the major breach of a FIFA database was only recently uncovered.

Initially reported by Norwegian newspaper Dagbladet, the breach came to light when an employee of the firm in charge of World Cup 2010 ticketing circulated an e-mail peddling more than 250,000 2006 World Cup customer details, including such personal information as birth dates and passport information.

According to Rob Rachwald, director of security strategy at database monitoring firm Imperva, the interesting hook to this story is that the customer data in question came from the Germany event four years ago and not the South African World Cup last summer. He says the event is indicative of a number of failures, including carelessness with older databases and unused data, a failure to think beyond the conclusion of the event, and a failure to have a full data security protection and destruction strategy.

"At the end of the '06 World Cup, a data destruction process should have been performed, and it clearly didn't occur to anyone [with FIFA or its IT firm]," Rachwald says. "[A good strategy should] identify what you have, attach risk and design a protection and destruction program."

The firm in charge of ticketing and ticketing data at the South African World Cup, Match, a subsidiary of U.K.-based Byrom, was not in charge of ticketing for Germany's World Cup. It did confirm that it was its own employee who appeared to be responsible for the data's dissemination. However, it categorically denied that the data came from its own database. "We have studied the contents of this database and we can categorically say that we have never had access to this information in any form. It is not our database," a spokesperson told the Daily Mail earlier this week. "Ticketing arrangements at the German World Cup, unlike other tournaments, were not undertaken by our firm."

Imperva's Rachwald, for one, wonders whether the ticketing agency might not even be aware that somewhere in the recesses of its systems it really does have a database containing the data, received in support of its role in the South Africa World Cup this year. He says that many enterprises have a hard time keeping track of sensitive information such as this and that whomever was responsible for retaining such data could be culpable under EU law, which mandates that old data such as this should be destroyed.

"Organizations need to think beyond just the commercial need to store and process data," he says. "In this case, they should have realized that the passport numbers they had was like sitting on cash -- especially since passport numbers have a long half life. They are around for a while before they expire."

Regardless of which organization is to blame for retaining the old information, the incident serves as another key reminder of the threats that rogue employees can introduce to data if not properly monitored.

"Databases are the primary targets for cybercriminals because stolen personal data is incredibly valuable and easily sold, and databases have a much higher concentration of sensitive data than other data sources, such as email," says Phil Neray, vice president of security strategy and marketing for Guardium, an IBM Company. "Unfortunately, this type of insider crime is severe and widespread. Verizon's recent report found that 90 percent of internal breaches are the result of deliberate and malicious activity. With so many organizations across all industries regularly attacked by their own employees -- as well as outsourced personnel -- companies need to continuously monitor and audit what's happening to their databases from the inside and out, in real-time."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.