Sprint Contractor Left AWS Bucket Containing Thousands Of Mobile Phone Bills Exposed

It has been reported that a contractor working for mobile giant Sprint stored hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers on an unprotected cloud server. The AWS storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. It was not protected with a password, allowing anyone to access the data inside. It’s not known how long the bucket was exposed.

Notify of

3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Colin Bastable
Colin Bastable , CEO
InfoSec Expert
December 7, 2019 6:02 am

If American consumers knew how careless third parties are with their data, they would – or should – be shocked and angry.

Presumably, this is either a sales or marketing contractor, hired to switch-sell customers from competitors, or a reseller working on cross-selling campaigns. A reseller would have access to multiple telcos’ subscribers.

The open nature of the database also supports the marketing/sales angle, giving a wide number of sales reps ready access to the data. Presumably, someone just assumed that no one would know about the data.

Perhaps this incident explains why no-one answers their cellphones in America – it is still open season on cellphone customers, and not just from spammers.

Last edited 2 years ago by Colin Bastable
Satya Gupta
Satya Gupta , CTO
InfoSec Expert
December 5, 2019 10:52 pm

We’ve seen this same pattern of carelessness over and over.

Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security.

Organizations need to establish much stronger controls on who can set up and access cloud storage. The bar also needs to be much higher for the cloud providers. AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But they need to at least provide security by default to reduce the chance of careless errors.

We’re already seeing an enterprise backlash against cloud providers, with many businesses moving sensitive data and apps back on-premise. If AWS and others don’t step up, this trend away from the cloud will accelerate.

Last edited 2 years ago by Satya Gupta
Jonathan Deveaux
Jonathan Deveaux , Head of Enterprise Data Protection
InfoSec Expert
December 5, 2019 2:51 pm

It’s not that AWS or any other cloud service provider (CSP) isn’t secure, it’s what people with good intentions fail to do when putting sensitive data in the cloud.

They fail to remember (or simply do not know) that some default configurations at CSPs do not ‘turn on’ effective (or even basic) data security – you have to activate security yourself, or only put data that’s already secured in the cloud. When neither is done, data exposure incidents like this will happen over and over again.

A more effective approach is to think ‘security first’. IT professionals need to answer the question “before I upload or download this data, how will it be secured.” And “nobody will know where it is” or “someone else is responsible for data security are not answers.

Unfortunately, ‘convenience-first’ and ‘customer-first’ approaches often push ‘security-first’ to a lower priority. People with good intentions are typically just trying to get their jobs done and this is sometimes where an accidental insider event occurs.

A data-centric approach towards information security helps reduce incidents like this and puts less of a burden on employees just trying to do their jobs.

Last edited 2 years ago by Jonathan Deveaux
Information Security Buzz
Would love your thoughts, please comment.x