[BreachExchange] Sprint Contractor Leaks 261K Phone Bills, Bank Statements

Destry Winant destry at riskbasedsecurity.com
Fri Dec 6 09:45:27 EST 2019


A total of 261,300 documents containing the personal information of
AT&T, Sprint, T-Mobile, and Verizon subscribers from as far back as
2015 have been made publicly available by a Sprint contractor.

As TechCrunch reports, the leak consists mainly of phone bills, which
include the name, address, phone numbers, and call histories of
customers across the four major networks. However, some of the
documents are bank statements alongside screen grabs of usernames,
passwords, and PIN numbers.

The leak was discovered by penetration testing company Fidus
Information Security and has been tracked back to Sprint contractor
and marketing agency Deardorff Communications. It looks to be
accidental and is down to a lack of security surrounding the storage
of the data.

Sprint collected the documents as part of an offer to US consumers
allowing them to switch to Sprint without having to pay any early
termination fees. Sprint would pay them for you. The leak occurred
because the contractor decided to store the documents in an Amazon Web
Services (AWS) storage "bucket," but didn't bother to use a password,
therefore leaving them publicly available to anyone who cared to look.

Jeff Deardorff, president of Deardorff Communications, has since
commented, "I have launched an internal investigation to determine the
root cause of this issue, and we are also reviewing our policies and
procedures to make sure something like this doesn't happen again."

A Sprint spokesperson confirmed "the error has been corrected," but
what remains unclear is if any of the affected customers are going to
be contacted and informed their personal details were shared. So far,
only Verizon has confirmed it is currently reviewing what to do.

More information about the BreachExchange mailing list