Freedom Mobile security flaw leaks data of over a million subscribers

A Freedom Mobile security flaw has resulted in the data of millions of customers being exposed.

Security researchers Noam Rotem and Ran Locar found was is known an Elasticsearch sever that leaked five million logs containing Freedom Mobile customer data. This data was not protected with a password, giving anyone access to the information.

Rotem and Locar published their findings through a virtual private network provider vpnMentor. The report states that it took Freedom Mobile roughly a week to fix the security flaw following being notified of its existence.

The report states that customer email addresses, phone numbers, postal codes, date of birth, customer type, account numbers and even full names, leaked. Equifax credit check customer information is also included in the leak, along with complete credit card numbers, including verification numbers and expiry dates, all stored in plaintext and unencrypted.

Freedom Mobile has more than 1.5 million customers across Canada, according to Shaw’s latest earnings report. This means that the data of roughly 98.9 percent of Freedom Mobile subscribers are affected by the security leak.

Shaw-owned Freedom Mobile’s full statement on the issue can be read below:

“We can confirm that two cybersecurity researchers contacted the Freedom Mobile Privacy Office on April 18 to advise they had located a security gap that affected a very small percentage of all Freedom Mobile customers, whose data is processed by a new external third-party vendor, Apptium Technologies.

We’ve assessed that data from approximately 15 thousand Freedom Mobile customers was affected.

We have no evidence to date that any data exposed has been misused in any way and we are conducting a full forensic investigation to determine the full scope of impact. Once the legitimacy of the researchers’ emails was verified, the third party vendor rectified the situation identified by the cybersecurity researchers and we began an investigation immediately.

Our investigation is ongoing. All affected customers will be contacted, and we will provide them with a solution that best suits their needs.

We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16. The data exposure was discovered and rectified on April 23.

Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.

The internal systems of Freedom Mobile or Shaw Communications were not compromised as part of this third party vendor security exposure.

Freedom Mobile has filed a notification to the Office of the Privacy Commissioner of Canada (OPC) and we are continuing our investigation into the matter.”

More to come…

Image credit: vpnMentor

Source: vpnMentor 

The post Freedom Mobile security flaw leaks data of over a million subscribers appeared first on MobileSyrup.

from MobileSyrup http://bit.ly/2VKT5jh