Marketing company Deardorff Communications has exposed 261,300 mobile phone bills due to an unprotected cloud server online.
The server contained hundreds of thousands of phone bills of AT&T, T-Mobile and Verizon subscribers. The bills contained names, addresses, phone numbers and call histories of subscribers.
In some cases, extremely sensitive documents such as bank statements and a screenshot of a web page that displayed subscribers’ online usernames, passwords and account PINS were found.
Fidus Information Security, a UK-based penetration test company, discovered that the Amazon Web Services (AWS) server was not password protected, thus allowing anyone to access the data inside.
The discovery was reported to Amazon, to which the bucket was shut down soon after. After a review, Deardorff Communications confirmed that it was the owner of the bucket. It remains unknown as to how long the data was exposed for.
Jeff Deardoff, president of Deardorff Communications told TechCrunch in an email: “I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again.”
AT&T and T-Mobile have not commented on the incident, however Verizon spokesperson, Richard Young said that the company was “currently reviewing” the matter.
“The uptrend we’re seeing in sensitive data being publicly accessible is concerning, despite Amazon releasing tools to help combat this,” said Harriet Lester, director of research and development at Fidus.
“This scenario was slightly different to usual as it was tricky to identify the owner of the bucket, but thankfully the security team at AWS were able to pass the report on to the owner within hours and public access was shut down soon after.”
Currently no subscribers have received a notification about the exposure.
The post #Privacy: Sprint contractor exposes over 250K mobile phone bills appeared first on PrivSec Report.