Fore-get about privacy, golf tech biz leaves 32M data records on the fairway

Nearly 32 million records belonging to users of tech from Trackman were left exposed to the internet, sitting in a non-password protected database, for an undetermined amount of time, according to researcher Jeremiah Fowler.

Trackman is a technology company that uses Doppler radar to analyze golf swings and shots. The PGA Tour, pro golfers, and amateurs use its products. In addition to the thousands of professionals, and 10,000-plus coaches and club-fitters, the company claims 90 of the world's top 100 players use Trackman tech, along with manufacturers including Bridgestone and Callaway, and major broadcasting companies like Golf Channel, ESPN, BBC, NHK, and CNN World.

While it's very good at tracking golf balls at major tournaments and the Olympics, it appears that protecting users' data may be trickier – leaving their data online in this way puts users at risk of device hacking, social engineering and phishing attacks, as well as other digital crimes.

Fowler spotted and reported the open Microsoft Azure Blob database in early August, and said it contained 31,602,260 records that shared users' names and email addresses, along with device info, IP addresses, and security tokens. In total, 110 TB of sensitive information was there for the taking by any digital crooks, we're told.

While Trackman sealed off the database very quickly after Fowler reported it to them, he says he never received a reply.

"It appears they never notified device owners/users or made the notification public that there was a data exposure," Fowler told The Register. "I didn't see anything posted online or in a Google search regarding a data exposure. Unfortunately that's a pretty common response – to give no response."

The Register also contacted Trackman and did not receive any response to questions including how long the database was left unlocked, or if the company received any reports of malicious activity.

In a report published today, Fowler noted that some of the records stored in Azure Blob appeared to contain sensitive info belonging to professional golfers. One (redacted) screenshot contains the name, email address, and operating system details of one such pro user, along with log files displaying the Wi-Fi connection used by the device, plus API, IP addresses, and security token. 

"Any data exposure that contains names and emails could potentially be used to target those individuals for spam, malware distribution, spear phishing attempts or social engineering campaigns," Fowler wrote, noting that pro athletes also represent "higher-value targets" to criminals.

While the infosec pro said he doesn't have any insight into whether the exposed data was used for nefarious purposes, it wouldn't take much technical expertise for a low-level criminal to use the info in a phishing or social engineering campaign intended to steal additional personal information or payment details.

"The fact that now anyone has access to AI tools like ChatGPT they can create realistic content that is less likely to raise suspicions," Fowler told The Register.

Plus, considering the number of records exposed, would-be criminals "have a massive list of users to work from," he added. 

"For example, criminals could clone a login page and email users to update their password (new and current) or prompt them to update their payment information," Fowler said. "This would be a very easy and effective method to potentially gain access to their accounts and obtain their payment information. The users would have no reason to doubt this was a legitimate request until it's too late."

That's on the low-tech side of things. A more sophisticated attacker could also hack users' devices to deploy malware, intercept Wi-Fi data, or even build a botnet using Trackman devices.

"This would be a scenario where top-level hackers or nation state actors could potentially have access to a complete network of internet-connected devices that could be used for malicious purposes such as a botnet used to launch distributed denial-of-service attacks, steal data, send spam, distribute malware and more, all without the device owner knowing," Fowler said, in what he told us would be a "hypothetical worst-case scenario of how top-tier cybercriminals pose the biggest risk."

Again, we have no evidence to suggest that the firm's devices have been used in a botnet attack – or for any other criminal activity. But if you are one of the company's customers, it's a good idea to keep an eye out for anything suspicious. And in general, use strong passwords, not the 1-2-3-4 variety. ®