1.5 Million Mobile Users' Card & Personal Information Exposed

Security researchers discovered an exposed Elasticsearch server containing up to 1.5 million Freedom Mobile users’ personal data, passwordless, and including unencrypted credit card and CVV numbers, expiration dates and verification numbers.

The five million exposed customer data logs belonged to Freedom Mobile, Canada’s fourth wireless telecommunications provider. The files, stored in plaintext, also held customer names, email and postal addresses, home and mobile phone numbers, birthdates, IP addresses connected to payment methods, customer types and account numbers. The logs also comprised credit checks filed through Equifax and other companies with details of the application results. A Freedom Mobile spokesperson for the company said the incident affected 15,000 customers.

Security researchers Noam Rotem and Ran Locar of vpnMentor, who earlier this year discovered an unprotected database affecting up to 65% of U.S. households hosted on a Microsoft cloud server, found the leak in Freedom Mobile’s database on April 17 this year.

“For ethical reasons, we didn’t download the database, so we don’t know exactly how many people were affected,” vpnMentor explained in a blog. “However, we could access at least 5 million unprotected records. Freedom Mobile has at least 1.5 million subscribers, and its parent company, Shaw Communications, has more than 3.2 million customers across Canada. This may the largest breach experienced by a Canadian company.”

Chris DeRamus, chief technology officer and co-founder of Arlington, Va.-based DivvyCloud said, “Companies should always be thankful when ethical security researchers discover their misconfigured servers instead of malicious hackers.” DeRamus also pointed out suffering a leak of data for 15,000 customers will definitely tarnish the company’s brand reputation and customer trust. “Leaving a database unsecured without a password is bad enough, but not even knowing about the vulnerability adds insult to injury. Customers deserve to have their data protected with the proper security controls.”

Jonathan Bensen, chief information security officer and senior director of product management, San Jose, Calif-based Balbix, said, “Leaving a server with the full payment card information and personally identifiable information of thousands of customers publicly accessible can be devastating to those affected.” Additionally, Bensen said all of the information necessary to make fraudulent purchases is present, and this information can sell easily on the dark web. “Even though it is unknown if a malicious party accessed this data, Freedom Mobile should have employed the proper security tools to avoid this critical incident, which came from a lack of fundamental security controls on this customer information.”

Anurag Kahol, chief technology officer, Campbell, Calif.-based Bitglass cautioned. “When armed with payment card information and PII, malicious parties can engage in highly targeted phishing attacks, make fraudulent purchases, sell said data on the dark web for a quick profit, and much more. The organization should still take the proper steps to mitigate potential damage and offer credit protection services to anyone affected.”

Companies must know the value of their data and have necessary security measures in place to protect it, Kevin Gosschalk, CEO and co-founder, of San Francisco-based Arkose Labs, stated. “In today’s digital age, all customer and user data must be securely protected. The Freedom Mobile breach not only exposed sensitive user information, including names, addresses and account numbers, but credit checks filed through Equifax. The hacker hit the jackpot on this breach, because the value of the unprotected data is high.”

Gosschalk also commented on the recent Wyzant breach, which compromised connected Facebook profiles, for the online marketplace for which students can find tutors for one-on-one instructions in hundreds of subjects. In the incident, a cyberattacker(s) succeeded in penetrating Wyzant systems on April 27, 2019 and gained access to some of users’ PII.

However, the tutoring platform does not believe the data breach compromised passwords, activity records, or financial information. While they exact number of how many users affected remains unknown, as does whether the security incident involved both students and tutors, it is known Wyzant accounts for over two million registered users and over 80,000 instructors.

Gosschalk said, “The recent Wyzant breach is a great example of how one attack can be leveraged against other companies to multiply the attacker’s return on investment.” In this case, the incident also compromised connected Facebook profiles. In addition, hackers gained access to user PII, including email addresses. Gosschalk warned cybercriminals can offer these email addresses on the dark web and/or to carry out attacks such as account takeover and credential stuffing. “It is time companies not only consider their risk, but the continued threat they keep feeding.”