Notification of Data Breach to Data Subjects

The WCA recently had an incident resulting in a data breach of the worldcubeassociation.org website. In compliance with data protection laws (namely GDPR), we are informing all users of worldcubeassociation.org of this data breach, a summary of what caused it, likely consequences, our next steps, and a point of contact.

Summary of the data breach

  • At 14:43 UTC on Wednesday 7th June 2023, for approximately 70 minutes, users may have found themselves logged in as another user (from the same geographic area) on the worldcubeassociation.org website
  • This was caused by incorrect settings during a rollout of Content Delivery Network (CDN) via our AWS servers
  • An exact number of affected data subjects is still not yet determined.
  • Users who would have experienced this behaviour are those who were logged into the worldcubeassociation.org site:
    • From the same geographic location
    • After their traffic had started being routed through the CDN
    • Browsing the website within 1 second of each other
  • Personal data records held on worldcubeassociation.org include Date of Birth and Email address.

Likely consequences

  • With a set of rare conditions being met, it was technically possible for a data subject’s personal identifying information to be compromised.
  • There is a high level of certainty that the breach was contained and that if there was any unauthorised access, it was minimal.
  • The systems of worldcubeassociation.org contain only limited personal identifying information and there is no way for a non-admin user to download all identifying data.
  • The system administrators have been able to confirm that no user, who may have found themselves with administrative privileges, gained access to the database control panel.
  • At this point in time, it is NOT possible to rule out that an unauthorised user has gained access to an account with elevated (staff or competition organiser) privileges and hence gained access to personal data.
  • A malicious actor MAY have found themselves in control of an account and may have accessed personal information, however it is believed that the likelihood is extremely low due to the short time frame and the random nature of the granted access.

Measures taken

  • The WCA Software Team (WST) has done extensive investigations to understand the cause, the timeline and impact of the breach.
  • At this point the system administrators are still investigating the details and working to understand the affected users.

Recommended actions

  • It is with an abundance of caution, WST is recommending ALL users who were logged into the worldcubeassociation.org site on Wednesday 7th June to:

    • Confirm there are no unexpected changes to their profile
    • Reset their password

Communication

If you have any further queries or concerns related to protection of your private data, the WCA’s Data Protection Officer is Jacob Amborse, who can be contacted through the results team (Results@worldcubeassociation.org).

Source:: worldcubeassociation