Pierluigi Paganini May 09, 2019

Canadian Freedom Mobile mobile network operator exposed the details of many customers, including their payment card data.

Security researchers at vpnMentor discovered an unprotected database containing information belonging to Freedom Mobile customers.

Freedom Mobile is the fourth largest mobile network operator in Canada. The unprotected database stored at least 5 million records associated with 1.5 million users of the mobile network operator.

Exposed records include email addresses, phone numbers, home addresses, dates of birth, IP addresses associated with payment methods, credit scores (from Equifax and other companies), unencrypted payment card data with CVV codes, locations, and other customer service records, and account details. All the data was encrypted.

According to the Globe and Mail, and the data leak was caused by the third-party company Apptium Technologies.

“Similar to Gearbest’s unprotected Elasticsearch database, Freedom Mobile’s database was completely unencrypted. We had full access to more than 5 million records, reflecting up to 1.5 million users.” reads a blog post published by vpnMentor.

“We could also access account numbers, subscription dates, billing cycle dates, and customer service records including locations.Some entries also included data from an Equifax database. This included information on credit scores, credit class, and credit card accounts.”

The experts discovered the unprotected database on April 17 and reported the discovery to the telecom operator on April 18. The database was secured on April 23.

Freedom Mobile attempted to downplay the incident saying that the total records stored in the unprotected database were related to only 15,000 customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 16.

“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications. “Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.”

Freedom Mobile’s investigation reported the incident to the Office of the Privacy Commissioner of Canada (OPC).

Pierluigi Paganini

(SecurityAffairs – Canada, Data Leak)

[adrotate banner=”5″]

[adrotate banner=”13″]