Security researchers found unsecured database of Freedom Mobile subscribers on the Internet. Read on to know more about the latest data breach…
Security researchers found unsecured database with personal and credit card information on thousands of Freedom Mobile subscribers on the Internet. vpnMentor, which rates consumer virtual private networks (VPNs), said that in April its staff found an unencrypted database of the Calgary-based wireless carrier with five million records of customer data.
A spokesperson for Freedom Mobile stated that customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25, 2019, to April 15, 2019, have been impacted. Approximately 15000 customers could have been impacted by the incident.
“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications.
According to the report, citing security researchers Noam Rotem and Ran Locar, the two found that an Elasticsearch server of Freedom Mobile had exposed five million logs that included customer data. The server was not password-protected, meaning anyone could get in and access the data, which was in plaintext format. The researchers said it took Freedom Mobile a week to secure the database after it was alerted to the problem.
The crucial information that was unprotected included email address, home and mobile phone number, home addresses, date of birth, customer type, IP address connected to payment method, unencrypted credit card and CVV numbers, credit score responses from Equifax and other corporations, with reasons for acceptance/rejection.
The database was part of a system the company used to spot errors; it listed the error and any accompanying data, including customers’ information. Information about customer credit checks conducted by Equifax was also accessible, as well as full credit card numbers with expiration dates and verification numbers.
The security researchers uncovered an unprotected ElasticSearch database belonging to Apptium, a third-party service provider that manages Freedom Mobile’s customer data. Freedom Mobile has more than 1.5 million customers across Canada.
The security researchers also shared their findings with TechCrunch and published a report at vpnMentor.
The security researchers who uncovered the database noted that the database is a part of a logging system used by the company to determine and record errors including customer data. According to a blog and press release issued by vpnMentor, the database was found April 17. Upon discovery, they notified Freedom Mobile the very next day about the leaky database. However, the database was secured after almost a week on April 24, 2019.