Freedom Mobile, Canada’s fourth largest mobile network, has become the latest company to suffer a serious data breach, when five million logs of unencrypted customer data was left exposed.
The database includes highly sensitive information, such as full credit card numbers, expiration dates and verification numbers stored in plaintext. It also has customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and account numbers. None of the information was password-protected, meaning it could be accessed by anyone and could easily make its way onto the dark web.
In addition, the logs also include credit checks including details of whether an application was accepted or rejected and why.
Yesterday, cybersecurity researchers Noam Rotem and Ran Locar revealed that they were able to access the Elasticsearch database of customer information after it was left completely unprotected.
According to a report by Rotem and Locar published by VPNMentor, the exposed data was discovered on April 17 but the company did not secure the database for a week. The report predicts that this could be the largest breach ever experienced by a Canadian company.
A spokesperson from Freedom Mobile said about 15,000 customers were affected by this incident.
Impact of the Freedom Mobile breach
The Freedom Mobile breach has serious implications for customer security, with the storing of credit card information and CVV numbers together especially valuable for hackers, and this volume of personal information enabling phishing attacks.
According to the report, the breach could also break PCI (Payment Card Industry) rules, creating further problems for the company.
Earlier this year, a similar incident occurred after an unsecured database of 730,434 records stored on MongoDB, including full names, dates of birth, phone numbers and email addresses, was discovered by a cybersecurity professional.
Chris DeRamus, CTO and co-founder of DivvyCloud believes the Freedom Mobile breach could have been prevented if the data was not left without adequate security protection:
“Companies should always be thankful when ethical security researchers discover their misconfigured servers instead of malicious hackers. However, suffering a leak of data for 15,000 customers will definitely tarnish the company’s brand reputation and customer trust. Leaving a database unsecured without a password is bad enough, but not even knowing about the vulnerability adds insult to injury. All companies must have security tools and processes in place to proactively avoid data leaks.
“Customers deserve to have their data protected with the proper security controls. Organisations must focus on internal operations as databases, storage containers, search engines and other cloud data repositories are often misconfigured. Misconfigurations can be the result of a developer simply not knowing how to properly secure the cloud service. Or a developer may even tweak a server configuration as part of troubleshooting and forget to secure it again once they are done with their project, leaving it publicly accessible. Organisations lacking proper processes and tools to identify and remediate insecure software configurations and deployments are just waiting for a data breach.
3 Things That Will Change the World Today
“That is why companies must invest in cloud operations (CloudOps), which is the combination of people, processes and tools that allow organisations to consistently manage and govern cloud services at scale.”
Jonathan Bensen, CISO and senior director of product management at Balbix believes that utilising artificial intelligence and machine learning could help protect companies against breaches such as the Freedom Mobile breach:
“Leaving a server with the full payment card information and personally identifiable information (PII) of thousands of customers publicly accessible can be devastating to those affected. All of the information necessary to make fraudulent purchases is present, and this information can sell easily on the dark web. Even though it is unknown if a malicious party accessed this data, Freedom Mobile should have employed the proper security tools to avoid this critical incident, which came from a lack of fundamental security controls on this customer information.
“It is critical that organisations leverage predictive security tools that employ artificial intelligence (AI) and machine learning (ML) to analyse the millions of data signals that arise from IT assets to identify vulnerabilities in real-time. These tools then prioritise the vulnerabilities based on risk and business criticality so that companies know what to fix first—i.e. highly sensitive customer data. This will allow organisations to proactively thwart data leaks and save themselves from sanctions under different data privacy laws, tarnished brand reputation, decreased stock prices, lawsuits and more.”