[BreachExchange] US cell carrier Assist Wireless exposed thousands of customer IDs

Fri Sep 4 10:01:42 EDT 2020

https://techcrunch.com/2020/09/02/assist-wireless-customer-data-exposed/

U.S. cell carrier Assist Wireless  left tens of thousands of personal
customer documents on its website by mistake.

Assist provides free government-subsidized cell phones to low-income
households across Oklahoma through the Lifeline program, set up by the
Federal Communications Commission in 1985. Lifeline helps households
on federal assistance programs, like food stamps or public housing,
get access to cheap cell phone plans.

But part of the carrier’s website was leaking customer documents —
including driver licenses, passports and Social Security cards — which
customers submit to verify their eligibility to sign up for a free
phone and a plan.

The documents are dated between 2019 and 2020.

Security researcher John Wethington found the exposed documents
through a simple Google search result, and asked TechCrunch to alert
the carrier to the leak. Assist removed the exposed documents from its
website a short time later.

Assist told TechCrunch that it traced the issue to a third-party
plug-in, Imagify, which the carrier uses to optimize images on its
website. Assist said that the plug-in by default puts a backup of
uploaded images in a separate folder, but that the backup location in
Assist’s case was not secure.

“We have resolved the issue by turning the backup off and removed the
folder from public view,” said Assist.

The carrier told TechCrunch it also submitted an “urgent request” to
Google to remove the documents from its cached image search results.
(TechCrunch held this story until the images were scrubbed.)

Assist said it is investigating if anyone else found the exposed data
before the issue was fixed.

“Assist Wireless takes security and consumer data very seriously. We
are hiring a third-party security firm to provide us with a thorough
security audit and subsequent consultation on ensuring customer data
is as safe as possible moving forward,” the carrier said.

The carrier also said it would notify customers if their data was
exposed in the security lapse.