Freedom Mobile exposed almost 5 million customer records due to a misconfigured database

• The compromised data includes customers’ names, email addresses, phone numbers, postal addresses, dates of birth, customer types, and Freedom Mobile account numbers.
• The database also contained sensitive information such as unencrypted credit card numbers, CVV numbers, account numbers, billing cycle dates, subscription dates, IP address connected to the payment method, and other customer service records including locations.

Security researchers Noam Rotem and Ran Locar uncovered an unprotected ElasticSearch database belonging to Apptium, a third-party service provider that manages Freedom Mobile’s customer data. Freedom Mobile has more than 1.5 million customers across Canada.

What is the impact?

• The unguarded database has exposed almost 5 million records of customer data.
• A spokesperson for the company stated that customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25, 2019, to April 15, 2019, have been impacted.
• Approximately 15000 customers could have been impacted by the incident.

“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications.

What data was involved?

• The compromised data includes customers’ names, email addresses, phone numbers, postal addresses, dates of birth, customer types, and Freedom Mobile account numbers.
• The database also contained sensitive information such as unencrypted credit card numbers, CVV numbers, account numbers, billing cycle dates, subscription dates, IP address connected to the payment method, and other customer service records including locations.
• It also contained credit score responses from Equifax and other corporations along with reasons for acceptance or rejection.

Database secured

The security researchers who uncovered the database noted that the database is a part of a logging system used by the company to determine and record errors including customer data. Upon discovery on April 17, 2019, they notified Freedom Mobile the very next day about the leaky database. However, the database was secured after almost a week on April 24, 2019.

The security researchers also shared their findings with TechCrunch and published a report at vpnMentor.