Once upon a time, I discovered a leak of potentially sensitive personal data on TennisLink. When registering for age-group doubles divisions in tournaments, it was possible to look up any player by name and determine their age within a five-year window. With an attack time horizon of four years, it was possible to determine the precise birth year of every single adult USTA player. That’s probably not a big deal until you think about the number of people with family and friends who insist on extending birthday wishes on social media, even for people who have taken pains not to put that information online. Birthdate is frequently used to reset passwords or establish identity. Consequently, the data leak was concerning.
I contacted both the USTA and TennisLink at the time, asking if either organization had a process for responsible disclosure of security issues detected on their public-facing web pages. Responsible disclosure is the ethical practice of notifying an organization about a security vulnerability so it can be addressed before it is exploited. While this sounds straightforward, disclosure carries inherent risks for the individual making the report. Some organizations may react defensively, misconstrue intentions, or even levy accusations of wrongdoing. I have co-workers who have contacted a company to report a serious security issue only to receive a cease-and-desist notification from their corporate attorney. In fact, getting such a letter or being threatened with legal action is a low-key rite of passage in my technical domain.
In this particular case, neither the USTA nor TennisLink ever responded. I don’t think it was negligence but rather a lack of understanding of the implications of someone reaching out and asking for a responsible disclosure point of contact. I like to think that both organizations have matured in the interim and have developed a greater sensitivity to potential data leaks. I hope both organizations now understand the implications of a person reaching out with a responsible disclosure inquiry and will (hopefully) now respond appropriately to any future inquiries.
Fortunately, the data leak I discovered disappeared when the USTA migrated tournaments to the ServeTennis platform. That is why I am comfortable writing about the problem now. Additionally, it provides me with the cathartic experience of disclosing that I absolutely used it to my advantage. When I captained a 40+ team, I used the flaw in TennisLink to determine if players I wanted to recruit to my team were old enough for that division. I don’t think it was a huge edge, but it did allow me to identify and contact players who had just aged up with confidence. It is a technical solution to sidestep potentially awkward conversations had my estimate of a player’s age been wrong.
This weekend, I became aware of a new very minor data leakage issue with ServeTennis. I don’t think this problem is a privacy issue at all. However, it is yet another continuing indication that the underlying data structures of ServeTennis still have room for improvement. It’s basically just an embarrassing indication of poorly structured data management within the software.
As I initially drafted this post, the 2025 CATA Polar Bear Doubles tournament draws were not yet posted. However, the draws had definitely been made. I could tell that by querying my playing records and seeing that I am credited with an opponent-less “Win” in the round of 16 in the upcoming tournament. That’s not a shock, as Christy Vutam and I are partnered as the top seed in an 11-team draw. If we didn’t receive a bye, it would be a serious violation of USTA Regulations for draw construction. Similarly, it is no surprise that the second-seeded doubles team also received a bye.
However, in an 11-team draw, five teams will receive byes. That means the three unseeded teams that will receive byes were known to me before the release of the draw. That is information that was not yet intended for public release. Moreover, if any of those three teams do not ultimately receive byes, it would be evidence that the draw was remade at some point in the intervening time. An unethical tournament director could repeatedly have ServeTennis redo a draw until preferred local players receive a favorable matchup. This data leak, coupled with frequent and persistent external queries, could detect indicators of that malfeasance in action.
At the player level, this particular data leakage has limited utility. Had I not been seeded in this tournament and guaranteed a bye, I would have known in advance that I would be unlikely to have an 8 am match scheduled on the first day of the tournament. Unfortunately, in this case, the Trophy Husband is in a nice round 32-team draw and will probably play at the earliest possible match time this weekend. So much for optimizing travel arrangements. (I rarely book accommodations until the draws are published anyway.)
This data leakage is also a leading indicator of when tournament directors actually start working on the draws. In the future, I will probably scrutinize player records between the time seeds are published and when the draws are released to determine when that work typically starts. That may confirm or refute my suspicion that some tournament directors who struggle to get their draws posted on time simply do not start early enough. It could provide interesting insight.
At my day job, we are very sensitive to data leaks and how that information could be exploited. These two trivial-ish examples from USTA tournaments serve as a reminder of the importance of robust security practices and transparency in handling potentially sensitive information. Even though this newest leak is no big deal, it probably would be a good thing to at least hide the sloppy structure of the data and the software behind the scenes. Those phantom “wins” in player records should not exist, much less be publicly accessible before the draws are released.
