One of Sprint’s employees has reported 261,300 mobile bills leakage after leaving a cloud network online vulnerable. All files on the open AWS network apply to AT&T, T-Mobile and Verizon customers, with payments dating back to 2015. Fidus Cyber Security, a British penetration test specialist discovered this issue. He also went deeper to search information for finding out the origin of this data leakage. Initially he thought it’s Amazon, Amazon denied it, then he went on to find the responsible party.
They find the names of a director at Deardorff Communications, a Sprint associate while digging into the files. They have confirmed, after contacting the marketing company, that the bucket is theirs, but they have not clarified the time this incident started. They said that they had conducted an independent investigation into the root cause of this accident and that they had taken the necessary steps in order to avoid a similar incident in the future. The response of the telecommunications suppliers whose customers are on display was silence, with Verizon saying they are still investigating. With regard to Sprint itself, the public was assured that the error had been corrected. This, though, does not help with the situation for those whose data was already obtained by others.
Let’s take a look at what information on the mobile bills are exposed. Names of subscriber, physical addresses, contact and call records etc. These information can be very useful for actors and scammers to do the phishing, but it is not the whole story, unfortunately. Additional documentation such as bank statements, online portals of companies’ usernames, their passwords, and even their VPN account PINs were also located by researchers.
Right now, no one has been notified of Deardorff Communications’ exposure, so the mobile subscribers who have been affected know nothing about it. I hope that someone on the chain would give alerts to their clients even to the telecom provider who was not responsible for this spill. It was also noticed that the individual responsible was only slightly revealed, after investigators had looked at the specifics of the information in greater depth. This demonstrated also the risks of software maltreatment by employees and contractors. Quite quickly, this could be another mysterious instance of the liable party.
As increasing news of all kinds of data leakage were posted online, Internet users should raise their awareness of the importance of data security. Guarantee the security of data cannot be just count on businesses’ and Internet providers’ behaviors. For users, they can better protect their data by taking many measures, such as using VPN services to encrypt their privacy information while using the Internet. Although sometimes it is hard to avoid putting personal information online, the less they reveal their information, the safer they will be.