A security lapse at Canada’s fourth largest cell network, Freedom Mobile, exposed customer data.
Security researchers Noam Rotem and Ran Locar found an Elasticsearch server leaking five million logs containing customer data. The server wasn’t protected with a password, allowing anyone to access the data.
Rotem and Locar, who shared their findings exclusively with TechCrunch and published a report at vpnMentor, said it took the cell giant a week to secure the leaking database after first reaching out.
The database is believed to be part of a logging system used by the company to determine errors and glitches in the company’s systems. The database recorded any errors and the plaintext data associated with it, including customer data.
Data seen by TechCrunch reveals customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and Freedom Mobile account numbers.
The logs also contain answers to credit checks filed through Equifax, including details if an application was accepted or rejected — along with the reason why.
We also found full credit card numbers, expiry dates and verification numbers stored in plaintext.
None of the data was encrypted.
Freedom Mobile has more than 1.5 million customers across Canada, according to its latest financial earnings. Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications, said about 15,000 customers were affected.
“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” he said. “Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.”
A forensic investigation is underway, the spokesperson said.
Apptium did not return a request for comment.
It’s the latest in a string of data exposures following security lapses that failed to secure databases with basic security measures. Earlier this year, Rotem and Locar found Chinese online shopping giant Gearbest inadvertently exposed millions of customer orders. Now, the researchers say the Freedom Mobile data leak could be one of Canada’s largest. The closest was Bell Canada’s data breach in 2017, in which hackers took more than 1.9 million customer records.
Access to credit card data and credit score data would be a boon for fraudsters and identity thieves wanting to cash in.
A spokesperson for Canada’s data protection authority, the Office of the Privacy Commissioner, confirmed it “received a breach report related to Freedom Mobile,” and “will be examining the report in order to determine next steps.”