Written by: Alex Popa
An attack on Canada’s fourth largest cell network, Freedom Mobile, led to a catastrophic leak in terms of customer data. A large package of information on many Freedom Mobile customers was released to the public.
Security Researchers Ran Locar and Noam Rotem were the first to spot the problem when they analyzed an Elasticsearch server. And they found the leak, going for a total of five million customer data logs that were made public. The cause of this break-in is simple – the server wasn’t protected with a password.
Anyone could get in as long as they had an internet connection, and they knew where to look. The two researchers compiled a detailed report at vpnMentor, where they said that the mobile cell company took nearly a week to fix the problem.
The leaking database served as a maintenance tool, being part of a logging system that the company used to find errors and glitches in their systems. It recorded all the plaintext data associated with such errors but they also contained private customer data.
The hackers didn’t even try to hack the database because the doors were wide open, waiting for them. They got their hands on customer names, email addresses, birth dates, phone numbers, postal addresses, customer types, and Freedom Mobile account numbers.
Not only this, but the hackers also managed to wrestle away banking information tied to Equifax transactions, which came wrapped up in a package along with details about the application, whether it was rejected or not, and the reasons for why that was.
TechCrunch found out that among the leaked data, there were “full credit card numbers, expiry dates and verification numbers stored in plaintext”. And what was more bewildering is that no data was encrypted.
As the fourth largest cell network in Canada, Freedom Mobile has over 1.5 million customers country-wide, with more signing in as we speak. Its latest financial earnings are clear on this. The affected customers number in the tens of thousands, namely 15.000, as Chethan Lakshman said, the spokesperson for Shaw Communications, Freedom Mobile’s parent company.
He went on to say that “We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16”.
“Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes”
The spokesperson went on to say that a forensic investigation is currently underway and that the results will be made public. Apptium, in turn, did not issue any public comment on the situation at hand. Most likely, they are also analyzing the issue and patching any other vulnerabilities they might have.
The “hacking attack” on Freedom Mobile isn’t the only one of this type, unfortunately. There have been many security lapses that resulted in the compromising of many unsecured databases that lacked even the most basic security measures.
Just earlier this year, Rotem and Locar discovered that Gearbest, the humongous Chinese shopping company started leaking as well. It exposed millions of customer orders for everyone to see.
Currently, every expert with a decent know-how in cyber-warfare and security says that the Freedom Mobile leak might very well take the crown as one of Canada’s largest and most serious attacks to date.
Bell Canada’s data breach in 2017 alone comes close to what they have on their hands now. At that time, hackers managed to expose more than 1.9 million customer records.
These numbers are exceedingly high, and the data breaches themselves took place from sheer idiotic reasons. The lack of any security protection invites disaster. If they don’t take any precautionary measures against such situations, chances are it’ll happen. And it did, in a grand fashion.
Any hacker can gain access to credit card data and credit score data, information that they could sell on the Black Market and rake lots of money. Identity thieves and people dealing in fraud aren’t exactly a rarity, and they’re just waiting for the next golden opportunity to cash in.
A spokesperson from Canada’s data protection authority, at the Office of the Privacy Commissioner, said that they’ve “received a breach report related to Freedom Mobile”, and they “will be examining the report in order to determine the next steps.”
In any case, the companies suffering from these leaks, Freedom Mobile in this case, should learn from their mistakes and better secure their servers. If they don’t want other breaches to take place, they need to impose strict security protocols on their databases.
Unless they want to lose their clients and potential customers, they will have to take a stand in this sense.