Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Canadian Telco Exposes Unencrypted Card Details

Canadian telco giant Freedom Mobile has become the latest big-name brand whose security has been found wanting after researchers discovered an unprotected database exposing over five million customer records.

A research team at vpnMentor claimed to have discovered the Elasticsearch database online on April 17. It was left online with no password protection and none of the data was encrypted.

Although the firm finally took action to address the issue a week later, the type of data left exposed to the public internet rang alarm bells with the researchers.

It included email and home address, home and mobile phone numbers and dates of birth, but also unencrypted credit card and CVV numbers alongside credit score responses from Equifax and others.

This could have provided cyber-criminals with a valuable trove of information with which to carry out a range of identity fraud.

“An unencrypted database of personalized information is a valuable resource for hackers. Access to addresses, email addresses, phone numbers, and credit data can help malicious actors execute sophisticated phishing schemes,” vpnMentor wrote in a blog post.

“Credit information also allows for highly targeted ransomware attacks, as bad actors know where they can demand high prices. Even the most careful user can’t defend itself against a company that saves their data on an unsecured database. The best way we found is to use a temporary card, account, or CVV number connected to your account.”

The firm also questioned whether Freedom Mobile may have been in breach of its PCI DSS obligations by failing to store the card details in an encrypted format.

Despite vpnMentor’s claims that the number of users affected could be as high as 1.5 million, the telco claimed the data was related to just 15,000 customers. This included some of those who opened or made changes to their accounts from March 25 to April 16.

It blamed third-party provider Apptium for the misconfiguration snafu.

What’s Hot on Infosecurity Magazine?