Four Million Time Warner Customers Caught in Privacy Snafu

Over four million Time Warner Cable (TWC) customers may have had their personal details exposed after news emerged of yet another cloud-based database misconfiguration.

TWC partner and global communications provider BroadSoft appears to be the culprit this time around after two AWS S3 buckets were found to have been configured to allow public access.

That mistake effectively exposed 600GB of sensitive data to the public internet, according to Bob Diachenko, chief communications officer at security vendor Kromtech.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” he explained.

“Not only could they access the documents but any ‘Authenticated Users’ could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.”

Although the researchers discovered “thousands and thousands [of] records and reports” belonging to BroadSoft clients, TWC appears to have been the most prominent firm affected.

“For example ‘User Profile Dump, 07-07-2017’ text file contains more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more,” said Diachenko. “Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers.”

It’s not just user information that has been compromised: Kromtech confirmed that BroadSoft also leaked internal credentials which could have allowed hackers to access key systems, potentially exposing even more data.

A few days after the discovery, Kromtech sent a note to one of the BroadSoft engineers in Bangalore whose email details were found in the repository.

Although the individual in question denied the company’s involvement, the repository in question was apparently made secure almost immediately. The second one was secured again after a notification email was sent.

The news comes at around the same time as a similar privacy snafu at US private security firm TigerSwan, blamed on a third-party recruitment partner, which exposed the CVs and job applications of thousands of military vets, many with top secret government clearance.

Jeff Hill, director of product management at Prevalent, argued the cases show that data threats often come from insiders rather than shadowy hackers.

"The Broadsoft episode underscores the relevance of the age-old aphorism 'never attribute to malice that which can be reasonably explained by stupidity’,” he added.

“Visibility into your vendors’ controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors’ custody.”

What’s Hot on Infosecurity Magazine?