Anyone who buys a ticket or orders an official guest package on the UEFA website must register. Regardless of the login method chosen, UEFA saves at least the email address in a profile. This login is valid for several UEFA websites such as UEFA TV or UEFA Gaming.
While researching another article, we happened upon a UEFA subdomain that spat out first names and email addresses in JSON format. A second look at the data revealed an unprotected, simple web service as a REST API: With the parameter page could scroll through the records. The API listed first name, email address, and metadata. The first user profile had a timestamp from December 10th, 2020. The last entry was only a few minutes old at the time of our investigation. The mountain of data consisted of 15,800 records and grew.
Public deletion
We set out to find where this data came from. With an account that was set up as a test, we tried to get the address into the list and were thoroughly surprised: Profiles that were created appeared in the list when the user deleted them in the UEFA profile under the menu item “Data Protection”.
The football fans, who deleted their profile since December 10, 2020, should not have assumed that their first name and email address were trumpeted out into the world as a result.
If you deleted your UEFA profile, you achieved exactly the opposite: first name and email address were then publicly available.
The web service, accessible on the subdomain idp-onetrust-adapter, replied without a login and was certainly not intended for the public. What exactly it was used for initially remained unclear. But there were indications: Each profile was given a status, either “Authorization” or “Deletion”. A possible explanation for the data leak could be the communication with a data protection management system (DMS). Such systems are intended to ensure and document compliance with statutory data protection requirements.
The name of the domain suggests a connection with the company OneTrust Technology Limited, which sells software for data protection and data governance. An additional deletion form in the UEFA data protection regulations refers to a server of this company.
Privacy foul
According to our information, UEFA switched off the API within 24 hours and confirmed that it is documenting the progress of deletion requests for user accounts with the OneTrust software. She also informed us that she is responsible for the web service and therefore also for the data leak caused by an incorrect configuration.
UEFA is currently still checking whether it will inform the fans concerned about the incident. However, according to UEFA’s assessment, this is not legally necessary. It remains to be seen whether or not she is correct: In principle, the GDPR applies because customers are served in the EU, even if UEFA is based in Switzerland.
In order to avoid the data leak that we discovered, it would have been sufficient if the web service concerned had requested authentication or if it had not been accessible from the Internet. Ironically, UEFA offers a three-hour course on cybersecurity and data protection in its online academy. The course description: Avoid data breaches and hacker attacks with simple steps. This actually also includes securing APIs.
In issue 15/2021 we tested Chromebooks and examined their Chrome OS operating system, which has long been more than just a browser. We will also show you how you can upgrade your home office cost-effectively and comprehensively – from the PC to the peripheral devices to the network. C’t editor Urs Mansmann has tested suitable mobile phone tariffs for home offices that offer 15 GB or more. We also explain the cryptography learning tool CrypTool 2, tested premium notebooks and looked at ESPHome, a low-code solution for smart home projects. You will find issue 15/2021 from July 2nd in Heise shop and at the well-stocked newspaper kiosk.
(how)