[BreachExchange] Freedom Mobile server leak exposed customer data

[Destry Winant]

https://techcrunch.com/2019/05/07/freedom-mobile-data-leak/

A security lapse at Canada’s fourth largest cell network Freedom
Mobile exposed customer data.

Security researchers Noam Rotem and Ran Locar found an Elasticsearch
server leaking five million logs containing customer data. The server
wasn’t protected with a password, allowing anyone to access the data.

Rotem and Locar, who shared their findings exclusively with TechCrunch
and published his report at vpnMentor, said it took the cell giant a
week to secure the leaking database after first reaching out.

The database is believed to be part of a logging system used by the
company to determine errors and glitches in the company’s systems. The
database recorded any errors and the plaintext data associated with
it, including customer data.

Data seen by TechCrunch reveals customer names, email addresses, phone
numbers, postal addresses, dates of birth, customer types, and Freedom
Mobile account numbers.

The logs also answers to credit checks filed through Equifax,
including details if an application was accepted or rejected — along
with the reason why.

We also found full credit card numbers, expiry dates and verification
numbers stored in plaintext.

None of the data was encrypted.

Freedom Mobile has more than 1.5 million customers across Canada,
according to its latest financial earnings. Chethan Lakshman, a
spokesperson for Freedom Mobile’s parent company Shaw Communications,
said about 15,000 customers were affected.

“We have discovered that the data that was exposed was contained to a
very small number of customers who had opened or made any changes to
their accounts at 17 Freedom Mobile retail locations from March 25 to
April 15, and any customers who made changes or opened accounts on
April 16,” he said. “Our investigation has revealed that a very
limited amount of Freedom Mobile customer data was exposed as the
result of a misconfigured server managed by Apptium, a new third-party
service provider Freedom Mobile has engaged to streamline our retail
customer support processes.”

A forensic investigation is underway, the spokesperson said.

Apptium did not return a request for comment.

It’s the latest in a string of data exposures following security
lapses that failed to secure databases with basic security measures.
Earlier this year, Rotem and Locar found Chinese online shopping giant
Gearbest inadvertently exposed millions of customer orders. Now, the
researchers say the Freedom Mobile data leak could be one of Canada’s
largest. The closest was Bell Canada’s data breach in 2017, in which
hackers took more than 1.9 million customer records.

Access to credit card data and credit score data would be a boon for
fraudsters and identity thieves wanting to cash in.

A spokesperson for Canada’s data protection authority, the Office of
the Privacy Commissioner, confirmed it “received a breach report
related to Freedom Mobile,” and “will be examining the report in order
to determine next steps.”