Governance & Risk Management , IT Risk Management , Privacy
Canadian Mobile Provider Exposed Payment Card NumbersFreedom Mobile Customer Data Was Unprotected and Unencrypted, Researchers Say
An unsecured database belonging to Canadian mobile operator Freedom Mobile exposed personal details and unencrypted credit card data, according to two security researchers who discovered the data.
Researchers Noam Rotem and Ran Locar published their findings on the blog of vpnMentor, and it was first reported by TechCrunch.
Another fun disclosure I worked in with @noamr. Wonder if they notified all affected customers https://t.co/bbSKkrgCzY— Ran Locar (@ranlocar) May 7, 2019
In a statement to TechCrunch, Freedom Mobile - formerly known as Wind Mobile - says 15,000 customers were affected. The researchers, however, say 5 million records, which appeared to be tied to up to 1.5 million unique customers' accounts, were exposed.
Freedom Mobile is part of Calgary, Alberta-based Shaw Communications, which is publicly traded on the Toronto Stock Exchange. In its second quarter 2019 financial results, Shaw reported that Freedom Mobile had about 1.5 million customers.
"For ethical reasons, we didn't download the database, so we don't know exactly how many people were affected," Rotem and Locar write. The database appeared to record any action taken by a Freedom Mobile user account, "allowing for multiple entries per customer," they add.
Canada's national broadcaster, the CBC, reported that Freedom Mobile contends that "any reference to 1.5 million customers affected is inaccurate."
Rotem tells ISMG via Twitter that it seems "very strange" that only 15,000 customers would be affected by Freedom Mobile's incident. "It was a live logging Elasticsearch system with lines constantly added to it for at least a few weeks," he says.
A Freedom Mobile spokesman says the company "is currently contacting affected customers, and we will provide them with a solution that best suits their needs."
Unencrypted Card Data
The leaked data included email addresses, home and mobile phone numbers, physical addresses, birth dates and unencrypted credit card and CVV numbers.
"It's rare to find a leak which details both credit card information and CVV numbers together, especially in such a large breach," Rotem and Locar write.
That could prove to be a complication for Freedom Mobile, because credit card issuers require companies that accept payment cards to comply with the Payment Card Industry's Data Security Standard, or PCI-DSS. If fraud arises from Freedom's payment card data exposure, payment card networks could seek to recover costs.
The data also included some information drawn from Equifax and other companies pertaining to credit scores, credit classes and card accounts. Some of the information included the reason why someone was either accepted or rejected for credit, Rotem and Locar write.
Other leaked data included the IP address linked to a payment method, the customer type, account numbers, subscription dates, billing cycle dates and customer service records including locations, the researchers write.
Rotem and Locar say they reported the breach to Freedom Mobile on April 18, one day after they discovered the database, but didn't hear back. Trying again to report the problem on April 24, they say Freedom Mobile responded the next day and that the database was later secured, although they didn't specify precisely when this happened.
Freedom Blames Third-Party Provider
A Freedom Mobile spokesman says "our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes."
Apptium didn't immediately respond to a request for comment. The company has offices in the U.S., Canada and India, and counts Comcast, Optus, Singtel and Hewlett Packard Enterprise among its customers, according to its website.
The exposure affect customers "who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16," Freedom Mobile says. The internal systems of Shaw Communications and Freedom Mobile were not affected.
Since Apptium was a new supplier for Freedom Mobile, "we are also seeing data from test accounts, which is to be expected given the new status of the vendor, and data from people who came to stores and applied for service but didn't complete a transaction."
The CBC reports that Freedom Mobile is conducting a full forensic investigation and that it has filed a breach report with the Office of the Privacy Commissioner of Canada.