Sprint Contractor Left AWS Bucket Containing Thousands Of Mobile Phone Bills Exposed

It has been reported that a contractor working for mobile giant Sprint stored hundreds of thousands of cell phone bills of AT&T, Verizon and T-Mobile subscribers on an unprotected cloud server. The AWS storage bucket had more than 261,300 documents, the vast majority of which were phone bills belonging to cell subscribers dating as far back as 2015. It was not protected with a password, allowing anyone to access the data inside. It’s not known how long the bucket was exposed.

Experts Comments

December 05, 2019
Jonathan Deveaux
Head of Enterprise Data Protection
comforte AG
It’s not that AWS or any other cloud service provider (CSP) isn’t secure, it’s what people with good intentions fail to do when putting sensitive data in the cloud. They fail to remember (or simply do not know) that some default configurations at CSPs do not ‘turn on’ effective (or even basic) data security - you have to activate security yourself, or only put data that’s already secured in the cloud. When neither is done, data exposure incidents like this will happen over and.....Read More
It’s not that AWS or any other cloud service provider (CSP) isn’t secure, it’s what people with good intentions fail to do when putting sensitive data in the cloud. They fail to remember (or simply do not know) that some default configurations at CSPs do not ‘turn on’ effective (or even basic) data security - you have to activate security yourself, or only put data that’s already secured in the cloud. When neither is done, data exposure incidents like this will happen over and over again. A more effective approach is to think ‘security first’. IT professionals need to answer the question “before I upload or download this data, how will it be secured.” And “nobody will know where it is” or “someone else is responsible for data security are not answers. Unfortunately, ‘convenience-first’ and ‘customer-first’ approaches often push ‘security-first’ to a lower priority. People with good intentions are typically just trying to get their jobs done and this is sometimes where an accidental insider event occurs. A data-centric approach towards information security helps reduce incidents like this and puts less of a burden on employees just trying to do their jobs.  Read Less
December 07, 2019
Colin Bastable
CEO
Lucy Security
If American consumers knew how careless third parties are with their data, they would – or should – be shocked and angry. Presumably, this is either a sales or marketing contractor, hired to switch-sell customers from competitors, or a reseller working on cross-selling campaigns. A reseller would have access to multiple telcos’ subscribers. The open nature of the database also supports the marketing/sales angle, giving a wide number of sales reps ready access to the data. Presumably,.....Read More
If American consumers knew how careless third parties are with their data, they would – or should – be shocked and angry. Presumably, this is either a sales or marketing contractor, hired to switch-sell customers from competitors, or a reseller working on cross-selling campaigns. A reseller would have access to multiple telcos’ subscribers. The open nature of the database also supports the marketing/sales angle, giving a wide number of sales reps ready access to the data. Presumably, someone just assumed that no one would know about the data. Perhaps this incident explains why no-one answers their cellphones in America – it is still open season on cellphone customers, and not just from spammers.  Read Less
December 05, 2019
Satya Gupta
CTO
Virsec
We’ve seen this same pattern of carelessness over and over. Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security. Organizations need to establish much stronger controls on who can set up and access cloud storage. The bar also needs to be much higher for the cloud providers. AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But.....Read More
We’ve seen this same pattern of carelessness over and over. Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security. Organizations need to establish much stronger controls on who can set up and access cloud storage. The bar also needs to be much higher for the cloud providers. AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But they need to at least provide security by default to reduce the chance of careless errors. We’re already seeing an enterprise backlash against cloud providers, with many businesses moving sensitive data and apps back on-premise. If AWS and others don’t step up, this trend away from the cloud will accelerate.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.