Sports Tech Company Trackman Failed To Protect User Information
Trackman, a sports tech company which makes simulator machines and software that offers swing and shot analysis technology for professional and amateur golf players, had a security loophole that allowed access to its database filled with tens of millions of confidential records.
Cybersecurity researcher, Jeremiah Fowler, has discovered and reported to Website Planet about a non-password-protected database that contained 31 million records belonging to Trackman.
The publicly exposed database was not password protected or encrypted and contained 31,602,260 records with a total size of 110 TB.
The records indicated its customers’ usernames and email addresses and also contained sensitive data such as device information, IP addresses, and security tokens.
Fowler says that when he discovered that the records belonged to Trackman, he immediately sent a responsible disclosure notice, and public access was restricted the same day.
It is not known how long the database was exposed or if anyone else gained access to it. Fowler notes that he did not receive a response from Trackman after he sent his disclosure notice.
The company offers data analytics for not just golf, but also baseball, tennis and shot put, among other sports. The company provides subscription software, indoor golf simulators, and physical devices such as launch monitors that measure key parameters like club speed, ball speed, launch angle, spin rate in the case of golf.
Among the exposed documents, Fowler saw numerous “session” reports with highly detailed analytics and statistics. Trackman’s technology is used in broadcasting, offering viewers detailed graphics and statistics. Their sports analytics technology provides software solutions for performance analysis, coaching, and player development.
Nefarious actors who could get access to the same data that Fowler was able to access could potentially use that information to target the individuals in that database for spam, malware distribution, spear phishing attempts or social engineering campaigns too.
The exposed information included Wi-Fi and device hardware information. If a cybercriminal can identify known vulnerabilities specific to the individual wireless adapter, it could allow them to remotely gain unauthorised access to the device or the Wi-Fi network. Furthermore, criminals could compromise the router using unique identifiers from an exposure, allowing them to potentially intercept or alter communications between the connected devices and the network.
Recently, IBM released a report that revealed that the average cost of a data breach in Australia has reached a record high of A$4.26 million in 2024, reflecting a 27 per cent increase since 2020.
The technology sector experienced the costliest cyber breaches in Australia, with average breaches costing A$5.81 million, followed by the financial services industry (A$5.61 million).