×

CBS had data leak during March Madness: Security firm

CBS Sports may have exposed more than just your busted March Madness bracket.

Mobile data management and security firm Wandera said it found a data leak on the CBS Sports app and mobile website during the college basketball tournament, allowing user data to possibly be compromised.

CBS Sports denied any breach.

"We know that information was leaked. Anyone who is using their mobile device on a public Wi-Fi would have been exposed," said Michael Covington, vice president of product at Wandera.

He said credit card and Social Security information was not revealed.

A Syracuse Orange fan looks on during the third round of the 2014 NCAA Men's Basketball Tournament.
Jared Wickerham | Getty Images
A Syracuse Orange fan looks on during the third round of the 2014 NCAA Men's Basketball Tournament.

Wandera said CBS Sports failed to properly encrypt its site and app. "This does not mean that the app or website was breached by an attacker. Instead, the app/site development teams simply failed to use encryption to protect the user's sensitive data," said Covington.

The report found that both Android and iOS versions of the CBS Sports app and the CBS mobile website failed to protect user names, dates of birth, email addresses, account passwords in clear text, and ZIP codes during the registration.

"Once you have that information, you have the keys to the kingdom," said Covington.

CBS Sports denied the claims of a data breach and said it is rigorous about monitoring its platforms for any potential security issues. "There was no data breach on either the CBS Sports app or mobile site," CBS Sports Digital said in a statement. "We take issue with outside companies publicizing the security operations of other firms for their own purposes rather than user protection."

Wandera said it came across the alleged vulnerability unexpectedly, while doing research on sports applications ahead of March Madness. As its engineers tracked data across various sports sites, they noticed unprotected data coming across its cloud service from CBS.

Once they discovered it, Wandera said, it immediately notified the network. It took about a month, but CBS notified Wandera the bug had been fixed, the security firm said.

The CBS Sports app was downloaded 5 million to 10 million times on Google Play and it is one of the top downloaded sports applications in Apple's iTunes store.


CBS Sports and Turner said in a press release that the national championship alone grossed 2.5 billion minutes of consumption across television and digital platforms.

Covington said that big events like March Madness can make sites and applications even more vulnerable because hackers look to take advantage of the notoriety they can gain by compromising data. He recommends changing your password immediately if you visited CBS' mobile site or downloaded its app.

In a world that is becoming increasingly digital, Covington said, these susceptibilities are not that unusual. "I think a lot of shortcuts are made as developers try to push these out quickly. Security seems to be an afterthought in many cases."