Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog
Improve the quality of your STAR Level 1 self-assessment by submitting to Valid-AI-ted →

The 2024 Football Australia Data Breach: A Case of Misconfiguration and Inadequate Change Control

Published 06/09/2025

Home
Industry Insights
The 2024 Football Australia Data Breach: A Case of Misconfiguration and Inadequate Change Control

CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re taking a closer look at the second incident covered in the Deep Dive: Football Australia 2024.

 

Cybernews researchers identified plaintext keys encoded in the source of Football Australia’s website. This was clearly the result of human error, whether that was a developer design flaw or a misconfiguration.

The keys provided access to Football Australia’s 127 digital storage containers. One of the accessible buckets contained personal details of the football players. Externally disclosed data included attendee purchase information, computing design, and source code. 

This incident was the result of several top threats interacting at once.

Developers misconfigured Football Australia’s AWS S3 buckets (Top Threat #1: Misconfiguration and Inadequate Change Control). One was publicly accessible to anyone on the internet (Top Threat #2: Identity and Access Management). As a result, any potential threat actor could access the plaintext keys. This unauthorized access could lead to major financial and reputational harm.

Additionally, developers designed the website with a critical flaw. They embedded an AWS long-term access key directly into the source code (Top Threat #6: Insecure Software Development). Someone used these credentials to access the fully open AWS S3 buckets (Top Threat #10: Unauthenticated Resource Sharing).

In the vast sea of data on today’s Internet, it may seem like finding unsecured cloud resources would be challenging for threat actors. However, publicly available IoT search tools such as Shodan, Binary Edge, and Grayhat Warfare have existed for years. They make it relatively easy to find unprotected data repositories.

 

Technical Impacts

  • Confidentiality: The breach resulted in the disclosure of PII and other sensitive data. This compromises data privacy and security.
  • Integrity: There is no evidence indicating that someone altered the exposed data. We can assume its original state remained intact despite the exposure for over 700 days.
  • Availability: There was a minor service disruption in the centralized registration platform. Beyond this, the incident did not cause any major system downtime or service disruptions.

 

Business Impacts

  • Financial: In 2023, researchers estimated the average cost of data breach notifications was $370k USD. Based on the volume of compromised data and legal liabilities, the potential impacts were massive.
  • Operational: Football Australia had to reconfigure and code the system to utilize AWS access keys properly. They must rotate the keys regularly.
  • Compliance: They face potential issues with the Australian Privacy Act of 1988.
  • Reputational: Media coverage of the data breach could damage public trust, brand reputation, and ticket sales and partnerships.

 

Preventive Mitigation

  • Application Security: Establish, document, and maintain baseline requirements for securing applications. 
  • Automated Security Testing: Implement a testing strategy. Include criteria for acceptance of new information systems, upgrades, and versions. Maintain application security compliance while enabling speed of delivery goals. Automate when applicable and possible. 
  • Change Management Software: Manage the risks associated with team members applying changes to assets. This includes applications, systems, infrastructure, and configuration, regardless of whether you manage the assets internally or externally. 
  • Data Encryption: Provide cryptographic protection to data at-rest and in-transit, using libraries certified to approved standards. 
  • Data Protection by Design: Develop systems, products, and business practices based upon a principle of security by design. 
  • Infrastructure as Code (IaC): Use IaC to automate the provisioning and configuration of cloud resources. This helps enforce consistent security configurations and reduces the risk of manual errors. This is so you can correctly configure S3 buckets from the start.

 

Detective Mitigation

  • Detection of Baseline Deviation: Implement detection measures with proactive notification. This is in case changes deviate from the established baseline. 
  • User Access Review: Frequently review and revalidate user access for least privilege and separation of duties. Programmatic access to provisioned scripts and privileged access systems can help detect gaps and exploits. 
  • Penetration Testing: Define, implement, and evaluate procedures for periodic penetration testing by a third party. 
  • Security Monitoring and Alerting: Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts based on such events.

 

Corrective Mitigation

  • Remediation: Establish, document, approve, communicate, apply, evaluate, and maintain a risk-based corrective action plan. Remediate incident and breach case findings, lessons learned, and improvement plan findings. Review and report remediation status to relevant stakeholders. This is particularly critical in cases of recurring breaches. 
  • Encryption Change Management Process: Establish effective change control procedures for cryptographic, encryption, and key management technology changes. This should include a review and approval process.
  • Data Breach Response Plan: Develop and maintain a data breach response plan. Include notification procedures, containment measures, and recovery strategies.

 

Key Takeaways from This Incident

  • Embedding long-term AWS access keys directly within website source code presents a severe security risk. Instead, adopt dynamic credential management systems to securely generate and manage keys at runtime. 
  • Regularly rotating AWS access keys is essential to limit their exposure and reduce the risk of credential misuse. Enforce automated key rotation policies with short-lived credentials. 
  • Protecting sensitive data, such as PII, requires robust encryption at rest and in transit. Ensure that you encrypt the data stored in AWS S3 buckets or other cloud services. Use the AWS Key Management Service or equivalent solutions
  • Misconfigured AWS S3 buckets are a leading cause of cloud data leaks. Implement policies specifically designed to block public access across all S3 buckets. Enable access logging.

 

Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other notable cloud breach cases. Get a detailed breakdown of the Snowflake, CrowdStrike, Toyota, DarkBeam, Retool/Fortress, FTX, and Microsoft incidents. This breakdown includes:Cover of Top Threats to Cloud Computing Deep Dive 2025

  • An attack detail
  • A description of the threat actor
  • The associated top threats
  • The technical and business impacts
  • Relevant Cloud Controls Matrix (CCM) controls to use for preventive, detective, and corrective mitigation
  • Essential metrics to measure control effectiveness
  • Key takeaways
Identity and Access ManagementMisconfigurationTop ThreatsVulnerabilities

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
CSA’s AI Safety Initiative Named a 2025 CSO Awards Winner
CSA’s New STAR Level 1 Assessment Tool
Join the list of organizations signing the AI Trustworthy Pledge
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Runtime Integrity Measurement Overview

Published: 06/13/2025

Closing the Blind Spot in Enterprise DNS Security: Why DNS Posture Management Matters

Published: 06/12/2025

Boost Cloud Security Without Bugging Your Developers

Published: 06/11/2025

How to Stop Expired Secrets from Disrupting Your Operations

Published: 06/10/2025