Thousands of U.S. cell phone bills exposed by Sprint contractor – TechCrunch
Customer phone bills from AT&T, Verizon, and T-Mobile were found on an exposed storage server.
TechCrunch reported late yesterday that a contractor working for mobile giant Sprint stored hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers on an unprotected cloud server. The AWS storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. It was not protected with a password, allowing anyone to access the data inside. It’s not known how long the bucket was exposed.
Tim Erlin, VP, product management and strategy at Tripwire:
“This isn’t the first supply-chain breach we’ve seen that involved unprotected cloud storage. While organizations can implement technical controls to identify and remediate unprotected storage in infrastructure they control, the problem is more difficult to solve with third-parties. Contractual enforcement is one mechanism to employ with third-parties, but it’s effectiveness as a preventative control is questionable at best. Organizations must work to shift the risk and cost of these types of incidents onto the third-parties involved in order to motivate them to put in place the required processes and technical controls.”
Jonathan Deveaux, head of enterprise data protection at comforte AG:
“It’s not that AWS or any other cloud service provider (CSP) isn’t secure, it’s what people with good intentions fail to do when putting sensitive data in the cloud. They fail to remember (or simply do not know) that some default configurations at CSPs do not ‘turn on’ effective (or even basic) data security – you have to activate security yourself, or only put data that’s already secured in the cloud. When neither are done, data exposure incidents like this will happen over and over again. A more effective approach is to think ‘security first.’ IT professionals need to answer the question, before I upload or download this data, how will it be secured? And ‘nobody will know where it is’ or ‘someone else is responsible for data security’ are not answers. Unfortunately, ‘convenience-first’ and ‘customer-first’ approaches often push ‘security-first’ to a lower priority. People with good intentions are typically just trying to get their jobs done and this is sometimes where an accidental insider event occurs. A data-centric approach towards information security helps reduce incidents like this and puts less of a burden on employees just trying to do their jobs.”
Satya Gupta, co-founder and CTO of Virsec:
“We’ve seen this same pattern of carelessness over and over. Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security. Organizations need to establish much stronger controls on who can setup and access cloud storage. The bar also needs to be much higher for the cloud providers. AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But they need to at least provide security by default to reduce the chance of careless errors. We’re already seeing an enterprise backlash against cloud providers, with many businesses moving sensitive data and apps back on-premise. If AWS and others don’t step up, this trend away from the cloud will accelerate.”
Colin Bastable, CEO of security awareness and training company Lucy Security:
“If American consumers knew how careless third parties are with their data, they would – or should – be shocked and angry. Presumably, this is either a sales or marketing contractor, hired to switch-sell customers from competitors, or a reseller working on cross-selling campaigns. A reseller would have access to multiple telcos’ subscribers. The open nature of the database also supports the marketing/sales angle, giving a wide number of sales reps ready access to the data. Presumably, someone just assumed that no one would know about the data. Perhaps this incident explains why no-one answers their cellphones in America – it is still open season on cellphone customers, and not just from spammers.”