Freedom Mobile security flaw leaks personal data of customers

Freedom Mobile

Shaw-owned carrier Freedom Mobile has experienced a security flaw, leaking sensitive data related to the carrier’s customers. However, it remains unclear exactly how many subscribers are affected by the breach.

Freedom Mobile claims that the security breach resulted in the data of 15,000 customers being exposed.

“Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes,” reads a statement from Freedom regarding the data breach.

On the other hand, the security researchers that first uncovered the flaw, Noam Rotem and Ran Locar, claim the number could be much higher.

The breach is related to what is known as an Elasticsearch sever that leaked five million logs containing Freedom Mobile customer data, according to the security researchers. This data was not protected with a password, giving anyone access to the information, according to the security researcher’s findings.

Rotem and Locar claim this security flaw is similar to when China-based e-commerce giant Gearbest inadvertently exposed the data of millions of customer orders.

The security researchers first published their findings through virtual private network provider vpnMentor. The report states that it took Freedom Mobile roughly a week to fix the security flaw following being notified of its existence.

Further, the report states that customer email addresses, phone numbers, postal codes, date of birth, customer type, account numbers and even full names, leaked. Equifax credit check customer information is also included in the leak, along with complete credit card numbers, including verification numbers and expiry dates, all stored in plaintext and unencrypted.

Freedom Mobile has more than 1.5 million customers across Canada, according to Shaw’s recent Q2 2019 earnings report.

Freedom Mobile isn’t the only Canadian telecom giant to suffer from a major security breach. Back in January of 2018 Bell confirmed that “fewer than 100,000” customers had their private information illegally accessed by hackers.

MobileSyrup has reached out to the Office of the Privacy Commissioner of Canada for comment regarding the breach. We have also contacted the security researchers that uncovered the leak for more information regarding the discrepancy between the number of affected subscribers.

This story will be updated with additional information as it is received.

Freedom Mobile’s full statement regarding the security breach can be read below:

“We can confirm that two cybersecurity researchers contacted the Freedom Mobile Privacy Office on April 18 to advise they had located a security gap that affected a very small percentage of all Freedom Mobile customers, whose data is processed by a new external third-party vendor, Apptium Technologies.

We’ve assessed that data from approximately 15,0000 Freedom Mobile customers was affected.

We have no evidence to date that any data exposed has been misused in any way and we are conducting a full forensic investigation to determine the full scope of impact. Once the legitimacy of the researchers’ emails was verified, the third party vendor rectified the situation identified by the cybersecurity researchers and we began an investigation immediately.

Our investigation is ongoing. All affected customers will be contacted, and we will provide them with a solution that best suits their needs.

We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16. The data exposure was discovered and rectified on April 23.

Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.

The internal systems of Freedom Mobile or Shaw Communications were not compromised as part of this third party vendor security exposure.

Freedom Mobile has filed a notification to the Office of the Privacy Commissioner of Canada (OPC) and we are continuing our investigation into the matter.”

Update 08/05/2019: When contacted regarding the discrepancy in the number of customers affected by the breach, vpnMentor sent the following statement.

“From what we saw, 5MM records were a good indication that up to 1.5 million customers were affected. We reached out to FM and didn’t get a response (besides closing the leak). We can’t comment if they don’t communicate with us and allow us to check it with them. We didn’t download the DB as this is a controversial act, and all we wanted to do here is to identify the problem and help solve the issue. We hope FM would share more information with us and we’ll share it with you as well.”

The Office of the Privacy Commissioner sent the following statement regarding the Freedom Mobile security breach.

“We can confirm that we received a breach report related to Freedom Mobile late yesterday afternoon and will be examining the report in order to determine next steps. Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), includes confidentiality provisions and we don’t have further details to offer at that time.​”

Update 07/05/2019: The story has been updated with more information regarding Freedom Mobile’s claim that only 15,000 subscribers were affected by the security breach.

Image credit: vpnMentor

Source: vpnMentor