Freedom Mobile, the fourth largest mobile telecommunications network in Canada has suffered a data breach that has left customers data vulnerable.
The leak was traced back to an Elasticsearch server by security researchers, who found five million accounts containing customer data. Alarmingly, the database was not password protected, meaning anyone would have been able to access the information.
The “ethical” hacktivists revealed that the mobile phone firm took a week to get protection up to standard after highlighting the server’s vulnerabilities.
The database involved is reported to be a component within a logging-in system that the company relied upon to detect malfunctions or glitches in the company’s IT systems. It also noted any errors and the plaintext information linked to it, including personal and private details of customers.
Data exposed is believed to comprise customer names, email addresses, phone numbers, residential addresses, birth dates, customer profile information, and Freedom Mobile account codes.
The records also hold responses to credit checks channelled through credit ratings agency, Equifax, and contain details on whether an application had been accepted or rejected, together with justifying factors for that decision. Credit card numbers, expiry dates and verification codes were also stored in plaintext, and none of the records was encrypted.
Around 1.5 million Canadian citizens use Freedom Mobile, trusting the company to keep their data safe. Chethan Lakshma, a spokesperson for the firm’s parent company, Shaw, revealed around 15,000 customers had been impacted by the lapse.
“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25th to April 15th, and any customers who made changes or opened accounts on April 16.
“Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes,” he added.
An in-depth investigation has now been launched into the incident, the spokesperson added.
Earlier in 2019, the hacktivists behind this latest discovery exposed a data leak caused by Chinese shopping firm, Gearbest, which compromised data relating to millions of customer transactions. The researchers, Ran Locar and Noam Rotem now estimate that the Canadian mobile phone breach could be one of the biggest in the nation’s history. In 2017, Bell Canada suffered a data breach in which over 1.9 million records were stolen by hackers.
A spokesperson for Canada’s data protection authority, the Office of the Privacy Commissioner, said it had “received a breach report related to Freedom Mobile,” adding that it “will be examining the report in order to determine next steps.”
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.