Freedom Mobile data breach impacts thousands of customers

Freedom Mobile, a major Canadian telecommunications provider, has revealed a data breach which may have exposed sensitive information belonging to thousands of customers.

On Tuesday, cybersecurity researchers Noam Rotem and Ran Locar from vpnMentor said they were able to access a database belonging to Canada's fourth-largest telco, which was "totally unprotected and unencrypted."

The database contained the email addresses of customers, phone and mobile numbers, home addresses, dates of birth, customer types, and IP addresses linked to payment methods.

In addition, the researchers say that unencrypted financial data was exposed, including credit numbers and security codes (CVV numbers), alongside credit score responses from Equifax and other credit monitoring services.

Freedom Mobile account numbers, subscription dates, billing cycle dates, and customer service records could also be accessed.

"These records seem to reflect any action taken within a user account, allowing for multiple entries per customer," the researchers say.

See also: Nation state actors, affiliates behind increasing amount of data breaches

The leak was discovered on April 17, 2019. After attempting to contact the telecommunications giant multiple times, Rotem and Locar received a response on April 24 and the leak was plugged on the same day.

VpnMentor's researchers say that up to 1.5 million active Freedom Mobile users may have been impacted by the breach and they had full access to over five million records -- but as an ethical sticking point the team did not download the database, and so it is not known exactly how many individuals were involved.

Calgary-based Freedom Mobile has hit back against this estimate and claims that the 1.5 million figure is "inaccurate." Instead, the telco says that only 15,000 customers were affected.

The company claims that customers at 17 retail stores who recently opened or changed account information were involved, according to the Globe and Mail, and the incident occurred due to a new third-party company, Apptium Technologies, which was recently brought in to streamline retail systems.

TechRepublic: 90% of data breaches in US occur in New York and California

Freedom Mobile said that there is no evidence that the leaked data has been abused, nor have the firm's internal systems been compromised in any way.

This is not the only high-profile data breach which has been disclosed this week. In related news, Binance, one of the most popular cryptocurrency trading platforms worldwide, revealed a "large-scale security breach" which has led to the theft of over 7,000 Bitcoin (BTC), which equates to roughly $41 million. Binance intends to absorb the theft so customers are not impacted.

CNET: Border officials don't have data to address racial bias in facial recognition tech

Update 19.56 BST: A Freedom Mobile spokesperson told ZDNet:

"We've assessed that data from approximately 15 thousand Freedom Mobile customers were affected. We are currently contacting affected customers, and we will provide them with a solution that best suits their needs.

Any reference to 1.5 million customers affected is inaccurate – the researchers could be referencing the number of lines of data exposed but it is certainly not a reference to the number of customers affected. If it is a reference to the number of lines of data, it's worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information. 

Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.

Freedom Mobile has filed a report with the Office of the Privacy Commissioner of Canada (OPC) and we are continuing our investigation into the matter."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

• Wyzant online tutoring platform suffers data breach
  
• Hackers steal $41 million from cryptocurrency exchange Binance
  
• Failed blackmail attempt prompts hackers to leak ocean of data belonging to major companies
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0