Millions of SMS messages exposed in database security lapse – TechCrunch
Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted.
Comments from Joseph Lorenzo Hall, Senior Vice President at Internet Society: “Another data breach of massive proportions due to incompetence on behalf of a service provider. This is increasingly common and definitely unacceptable in terms of running a modern service… this is the exact opposite of an important concept of data stewardship, or “business data hygiene”. You just don’t leave data like this lying around! It’s particularly unfortunate it was business SMS text messages here. SMS is a very useful technology as everyone who has a mobile phone has this capability, but it also means that this will affect a broad swath of society. SMS text messages are highly insecure: they are not authenticated — they can easily be spoofed — and they are not confidential — meaning they can be eavesdropped upon and even changed in transit. Unfortunately more secure options don’t work across Android and iOS, although this is being worked on. This is a good case study for businesses to attempt more secure messaging options with their customers, using custom WhatsApp, Signal, or other technologies. It’s crucial that victims in this database are notified so that they can be aware of any potential threats that might include changing their passwords or other ways of taking over online accounts, which is a big focus of cybercriminals.I would expect and urge attention by state Attorneys General as if this breach results in actual financial or physical harm, this company will likely be sued out of existence for this kind of colossal mistake! Some mistakes a business should not be able to escape from given their consequences.”