Security researchers say they found an unprotected database with personal and credit card information on thousands of Freedom Mobile subscribers on the Internet.
vpnMentor, which rates consumer virtual private networks (VPNs), said Tuesday that in April its staff found an unencrypted database of the Calgary-based wireless carrier with five million records.
The information included
- email address
- home and mobile phone number
- home addresses
- date of birth
- customer type
- IP address connected to payment method
- unencrypted credit card and CVV numbers
- credit score responses from Equifax and other corporations, with reasons for acceptance/rejection.
According to a blog and press release issued by vpnMentor, the database was found April 17. It took several attempts, but the carrier finally responded to email messages on April 24. That day, vpnMentor says, the database was secured. However, in a statement Freedom Mobile says the database was secured April 23.
Below is a screen shot of the information vpnMentor says it was able to see. Personal information has been blacked out.
Freedom Mobile (formerly Wind Mobile) is owned by Shaw Communications. In a statement to IT World Canada , Chethan Lakshman, the carrier’s vice- president of external affairs said the exposed database was held by “a new external third-party vendor, Apptium Technologies.” It blamed the problem to  “a misconfigured server managed by Apptium,” which had been hired to streamline the carrier’s retail customer support processes.
While vpnMentor thought the data covered 1.5 million subscribers, Lakshman said his companies believes approximately 15,000 customers are affected. “Any reference to 1.5 million customers affected is inaccurate,” the the statement said. “The researchers could be referencing the number of lines of data exposed but it is certainly not a reference to the number of customers affected. If it is a reference to the number of lines of data, it’s worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information.”
Those affected, Lakshman said, are customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 15, and any customers who made changes or opened accounts on April 16.
The carrier is conducting a full forensic investigation.
The internal systems of Freedom Mobile or Shaw Communications were not compromised as part of this third party vendor security exposure, the company said.
According to a spokesperson for the Office of the Privacy Commissioner, the OPC was notified Monday afternoon of the breach. Under the new rules of the Personal Information Protection and Electronic Documents Act (PIPEDA), companies that come under federal legislation must report breaches of their data security controls.
Freedom Mobile’s web site has an extensive privacy and security statement. It says in part that “We maintain physical, electronic, and procedural safeguards designed to protect your Personal Information. We review such safeguards on a periodic basis and revise them if necessary. We take reasonable steps designed to limit access to Personal Information only to persons as provided for in this Privacy Policy. ”
(This story was updated from the original to include comments made by Freedom Mobile. The original headline was also changed)