Unprotected database of thousands of Freedom Mobile subscribers found by security company

Security researchers say they found an unprotected database with personal and credit card information on thousands of Freedom Mobile subscribers on the Internet.

vpnMentor, which rates consumer virtual private networks (VPNs), said Tuesday that in April its staff found an unencrypted database of the Calgary-based wireless carrier with five million records.

The information included

  • email address
  • home and mobile phone number
  • home addresses
  • date of birth
  • customer type
  • IP address connected to payment method
  • unencrypted credit card and CVV numbers
  • credit score responses from Equifax and other corporations, with reasons for acceptance/rejection.

According to a blog and press release issued by vpnMentor, the database was found April 17. It took several attempts, but the carrier finally responded to email messages on April 24. That day, vpnMentor says, the database was secured. However, in a statement Freedom Mobile says the database was secured April 23.

Below is a screen shot of the information vpnMentor says it was able to see. Personal information has been blacked out.

Freedom Mobile (formerly Wind Mobile) is owned by Shaw Communications. In a statement to IT World Canada , Chethan Lakshman, the carrier’s vice- president of external affairs said  the exposed database was held by “a new external third-party vendor, Apptium Technologies.” It blamed the problem to  “a misconfigured server managed by Apptium,” which had been hired to streamline the carrier’s retail customer support processes.

While vpnMentor thought the data covered 1.5 million subscribers, Lakshman said his companies believes approximately 15,000 customers are affected. “Any reference to 1.5 million customers affected is inaccurate,” the the statement said. “The researchers could be referencing the number of lines of data exposed but it is certainly not a reference to the number of customers affected. If it is a reference to the number of lines of data, it’s worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information.”

Those affected, Lakshman said, are customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 15, and any customers who made changes or opened accounts on April 16.

The carrier is conducting a full forensic investigation.

The internal systems of Freedom Mobile or Shaw Communications were not compromised as part of this third party vendor security exposure, the company said.

According to a spokesperson for the Office of the Privacy Commissioner, the OPC was notified Monday afternoon of the breach. Under the new rules of the Personal Information Protection and Electronic Documents Act (PIPEDA), companies that come under federal legislation must report breaches of their data security controls.

Freedom Mobile’s web site has an extensive privacy and security statement. It says in part that “We maintain physical, electronic, and procedural safeguards designed to protect your Personal Information. We review such safeguards on a periodic basis and revise them if necessary. We take reasonable steps designed to limit access to Personal Information only to persons as provided for in this Privacy Policy. ”

(This story was updated from the original to include comments made by Freedom Mobile. The original headline was also changed)

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now