HYDERABAD: Passport details of 1,138 personnel of the All India Football Federation (AIFF) were exposed due to security vulnerabilities in their official website. Aadhaar data of AIFF staff and playerswere also being uploaded and accessible to public through a simple google search.The security flaw was found by French security researcher Robert Baptiste, who tweeted on Friday trying to reach out to AIFF. The federation officials, however, downplayed the issue by calling the exposed passport details of their employees as “old data”.
Cybercrime officials say the passport details could be misused for identity theft and taking new SIM cards.
On Friday, Baptiste tweeted requesting assistance to reach out to AIFF to alert them about a security flaw. Express then reached out to AIFF and alerted them about the security breach on the same day.The security flaw exposed passport details of 1,138 AIFF personnel, who were eligible to attend international sporting events. Federation officials refused to confirm if the data leak contained the passport details of national Indian football team. A federation official on the condition of anonymity said, “These passport details were uploaded some time ago and they are old. Our IT team has fixed the issue.” But the issue was not resolved technically.
The passport details were stored in PDF format and uploaded under the directory name passport_doc.
“They just added another letter to the URL, it now reads ppassport_doc. Changing a file name is not fixing the issue,” said Baptiste. “They have full address on the passports. If am a footballer I wouldn’t want my personal details available online,” he added. Baptiste is still able to access the passport details despite AIFF’s claim that the issue was resolved.
“If someone who is not intended to access, but still accesses the information, is itself a crime,” said Ram Mohan, SP, CID Cybercrime, Hyderabad. “If someone gets access to your passport details, they can use it for identity theft, buying a new SIM card or for staying at a hotel or for using the passport details to pull off a phishing scam. People are unaware of the serious nature of data thefts and often voluntarily upload their sensitive details online,” he added.