Security researchers Noam Rotem and Ran Locar uncovered an unprotected ElasticSearch database belonging to Apptium, a third-party service provider that manages Freedom Mobile’s customer data. Freedom Mobile has more than 1.5 million customers across Canada.
What is the impact?
“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” said Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications.
What data was involved?
The security researchers who uncovered the database noted that the database is a part of a logging system used by the company to determine and record errors including customer data. Upon discovery on April 17, 2019, they notified Freedom Mobile the very next day about the leaky database. However, the database was secured after almost a week on April 24, 2019.
The security researchers also shared their findings with TechCrunch and published a report at vpnMentor.