Aston Villa is aware of recent news reports of a publicly accessible AWS S3 bucket which reportedly contains fan membership data.
First and foremost, Aston Villa takes the privacy and security of its fans’ personal data extremely seriously and, as a result, it has carried out a full and robust investigation into these reports, led by its Data Protection Officer and supported by the Club’s incident response team. That investigation has determined that the reports relate to access to a system maintained by one of the Club’s service providers that manages the Official Membership on its behalf. The system was accessed by a cybersecurity researcher whose purpose is to search out vulnerabilities and report them to the relevant organisation, to enable them to secure the data.
Upon receiving the report from the cybersecurity researcher, the Club acted promptly to liaise with its service provider to ensure that the vulnerability was promptly closed and to determine whether there had been any additional access to the data. We are pleased to report that there is no evidence of any other unauthorised access to this data and to confirm that no password or payment data was compromised. The service provider’s forensic investigation into the cause of the incident is ongoing and the Club will amend this statement if any additional relevant information is received.
The Club reported this incident to the Information Commissioner’s Office (ICO) which confirmed that no further action would be taken in relation to it. The Club will continue to work closely with the service provider to ensure that fan membership data is secure. The Club sincerely apologises for any distress caused to its supporters as a result of these reports.
Updated 6 June 2024