An apparent security leak at Canada’s fourth-largest mobile carrier, Freedom Mobile, has exposed a swath of customer’s private data.
According to a new report from TechCrunch, security researchers Noam Rotem and Ran Locar discovered an unprotected Elasticsearch server that was leaking five million logs of customer data. It reportedly took the Canadian carrier an entire week to secure the leaking database.
“The database is believed to be part of a logging system used by the company to determine errors and glitches in the company’s systems,” reads the report. “The database recorded any errors and the plaintext data associated with it, including customer data.”
The leaked data includes customers’ information like names, email addresses, phone number, various postal addresses, dates of birth, customer types, and account numbers, explains the report. TechCrunch also reportedly found credit card numbers, expiry dates, and verification numbers.
Up to 15,000 individual accounts were affected by the leak, said a Freedom Mobile spokesperson.
“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications.
“Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes,” he continued.
A forensic investigation into the leak is now currently underway, explained Lakshman.
A spokesperson for the Office of the Privacy Commissioner — Canada’s data protection authority — confirmed it “received a breach report related to Freedom Mobile,” and “will be examining the report in order to determine next steps.”