Freedom Mobile, a major Canadian telecommunications provider, has revealed a data breach that may have exposed sensitive information of thousands of customers.
The cyber security researchers Noam Rotem and Ran Locar from vpnMentor stated that they accessed a completely unprotected and unencrypted database belonging to Freedom Mobile which is the fourth-largest telco in Canada.
The database included the email addresses of customers, phone and mobile numbers, home addresses, dates of birth, customer types, and IP addresses linked to payment methods. Besides, the unencrypted financial data was exposed, including credit numbers and security codes (CVV numbers), credit score responses from Equifax and other credit monitoring services.
They were also able to access the Freedom Mobile account numbers, subscription dates, billing cycle dates and customer service records.
The leak was found on April 17, 2019. The researchers tried to contact the company several times, but they received a response on April 24 and the leak was plugged on the same day.
According to the researchers up to 1.5 million active Freedom Mobile users may have been impacted by the breach and they had full access to over five million records. Since the team did not download the database it is not known whether how many individuals are exactly involved.
The telecom company however did not agree with this estimate and they claimed that only 15,000 customers were affected.
The company claims that customers at 17 retail stores who recently opened or changed account information were involved and the incident occurred due to a new third-party company, Apptium Technologies, which was recently brought in to streamline retail systems.
There is no evidence that the leaked data has been abused or the firm’s internal systems has been compromised in any way.
According to a Freedom Mobile spokesperson, the company have started contacting affected customers and a solution will be provided to them soon. He stated that only very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium. The company is continuing their investigation into the matter.