Massive Leak – Freedom Mobile Exposes Customer Data

Updated on: 24 June 2019
Updated on:24 June 2019

An attack on Canada’s fourth largest cell network, Freedom Mobile, has led to a catastrophic leak of customer data. A large packet of information on many Freedom Mobile customers was released to the public.

Security Researchers Ran Locar and Noam Rotem were the first to spot the problem when they analyzed an Elasticsearch server. And they found the leak, going for a total of five million customer data logs that were made public. The cause of this break-in is simple – the server wasn’t secure.

Anyone could get in as long as they had an internet connection, and they knew where to look. The two researchers compiled a detailed report at vpnMentor, where they said that the mobile cell company took nearly a week to fix the problem.

The leaking database served as a maintenance tool, being part of a logging system that the company used to find errors and glitches in their systems. It recorded all the plaintext data associated with such errors but they also contained private customer data.

The hackers didn’t even need to hack the database because the doors were wide open, waiting for them. They were able to access customer names, email addresses, birth dates, phone numbers, postal addresses, customer types, and Freedom Mobile account numbers.

What really happened?

TechCrunch found out that among the leaked data, there were “full credit card numbers, expiry dates and verification numbers stored in plaintext”. And what was more bewildering is that none of the data was encrypted.

As the fourth largest cell network in Canada, Freedom Mobile has over 1.5 million customers country-wide, with more signing in as we speak. Its latest financial earnings are clear on this. The affected customers number in the tens of thousands.

He went on to say that “We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16”.

“Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes”

The spokesperson went on to say that a forensic investigation is currently underway and that the results will be made public. Apptium, in turn, did not issue any public comment on the situation at hand. Most likely, they are also analyzing the issue and patching any other vulnerabilities they might have.

A string of data exposure leaks

The “hacking attack” on Freedom Mobile isn’t the only one of this type, unfortunately. There have been many security lapses that resulted in the compromising of many unsecured databases that lacked even the most basic security measures.

Just earlier this year, Rotem and Locar discovered that Gearbest, the Chinese shopping company started leaking as well. It exposed millions of customer orders for everyone to see.

Bell Canada’s data breach in 2017 comes close to what they have on their hands now. At that time, hackers managed to expose more than 1.9 million customer records.

The lack of any security protection invites disaster. If they don’t take any precautionary measures against such situations, chances are it’ll happen. And it did, in a grand fashion.

Identity thieves and people dealing in fraud aren’t exactly a rarity, and they’re just waiting for the next golden opportunity to cash in.

A spokesperson from Canada’s data protection authority, at the Office of the Privacy Commissioner, said that they’ve “received a breach report related to Freedom Mobile”, and they “will be examining the report in order to determine the next steps.”

In any case, the companies suffering from these leaks, Freedom Mobile in this case, should learn from their mistakes and better secure their servers. If they don’t want other breaches to take place, they need to impose strict security protocols on their databases.

Unless they want to lose their clients and potential customers, they will have to take a stand in this sense.

Written by: Alex Popa

Content writer and technology enthusiast. Alex discovered his love for writing not long ago, one that deepens with each written article. Tech subjects are right up his alley, and as he strives to perfect his craft, even more, his journey through the cyber-world leads to many interesting topics that he approaches with the skill and passion of an avid learner. He’s decided to put his ability to good use and share any digital novelties he comes across.

Leave a Reply

Your email address will not be published. Required fields are marked *