Freedom Mobile customer data leaked

A security loophole at Canada’s one of the largest telecom network Freedom Mobile exposed customer data.

Security researchers Noam Rotem and Ran Locar from vpnMentor are claiming to have found an open Elasticsearch server leaking five million logs containing customer data and warned the company to apply proper security measures. The server was not well protected with a password and allowed anyone to access the data.

The compromised data includes email address, mobile phone numbers, postal addresses, home addresses, dates of birth, customers names, customer types, IP addresses, payment methods, billing cycle dates, subscription dates etc.

Furthermore, the leaked data also includes encrypted credit card data and CVV numbers, verification numbers stored in plaintext and Freedom Mobile account numbers. All of the data was unencrypted.

Canada’s Freedom Mobile is having more than 1.5 million customers across Canada. According to it’s parent company Shaw Communications, about 15,000 customers account were affected by this security lapse at Canada’s fourth largest cell network. Freedom spokesperson said in a statement that “any reference to 1.5 million customers affected is inaccurate,”

“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications.

He also said that “Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.”

The spokesperson said, a forensic investigation is underway.

A spokesperson for Canada’s data protection authority, the Office of the Privacy Commissioner, confirmed it “received a breach report related to Freedom Mobile,” and “will be examining the report in order to determine next steps.”

The security researchers also published a report at vpnMentor.