Security researchers discovered an Elasticsearch server belonging to Freedom Mobile, Canada’s fourth largest cell network, that contained five million logs of customer data. The data was exposed without a password and includes full credit card numbers, expiration dates and verification numbers stored in plaintext as well as customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and account numbers. None of the data was encrypted. The logs also include credit checks filed through Equifax and includes details of whether an application was accepted or rejected and why. A spokesperson for the company said about 15,000 customers were affected by this incident.
https://twitter.com/zackwhittaker/status/1125747595928903685
Experts Comments:
Chris DeRamus, CTO and Co-founder at DivvyCloud:
“Companies should always be thankful when ethical security researchers discover their misconfigured servers instead of malicious hackers. However, suffering a leak of data for 15,000 customers will definitely tarnish the company’s brand reputation and customer trust. Leaving a database unsecured without a password is bad enough, but not even knowing about the vulnerability adds insult to injury. All companies must have security tools and processes in place to proactively avoid data leaks.
Customers deserve to have their data protected with the proper security controls. Organizations must focus on internal operations as databases, storage containers, search engines and other cloud data repositories are often misconfigured. Misconfigurations can be the result of a developer simply not knowing how to properly secure the cloud service. Or a developer may even tweak a server configuration as part of troubleshooting and forget to secure it again once they are done with their project, leaving it publicly accessible. Organizations lacking proper processes and tools to identify and remediate insecure software configurations and deployments are just waiting for a data breach.
That is why companies must invest in cloud operations (CloudOps), which is the combination of people, processes and tools that allow organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services and the automation of these processes with the correct tools. Automated cloud security solutions grant enterprises the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or they can even trigger automated remediation in real-time.”
Jonathan Bensen, CISO and Senior Director of Product Management at Balbix:
“Leaving a server with the full payment card information and personally identifiable information (PII) of thousands of customers publicly accessible can be devastating to those affected. All of the information necessary to make fraudulent purchases is present, and this information can sell easily on the dark web. Even though it is unknown if a malicious party accessed this data, Freedom Mobile should have employed the proper security tools to avoid this critical incident, which came from a lack of fundamental security controls on this customer information.
It is critical that organizations leverage predictive security tools that employ artificial intelligence (AI) and machine learning (ML) to analyze the millions of data signals that arise from IT assets to identify vulnerabilities in real-time. These tools then prioritize the vulnerabilities based on risk and business criticality so that companies know what to fix first—i.e. highly sensitive customer data. This will allow organizations to proactively thwart data leaks and save themselves from sanctions under different data privacy laws, tarnished brand reputation, decreased stock prices, lawsuits and more.”
Kevin Gosschalk, CEO at Arkose Labs:
“Companies must know the value of their data and have necessary security measures in place to protect it. In today’s digital age, all customer and user data must be securely protected. The Freedom Mobile breach not only exposed sensitive user information, including names, addresses and account numbers, but credit checks filed through Equifax. The hacker hit the jackpot on this breach, because the value of the unprotected data is high. However, the data was left vulnerable for anyone to view because it wasn’t even protected by a password. Protect your assets accordingly to ensure hackers can’t extract an economic reward from your company or its customers.”
Robert Vamosi, Senior Product Marketing Manager at ForgeRock:
“This latest exposure of consumer data by Freedom Mobile further highlights how basic security measures can protect vital data and digital identity information. With access to consumer data, such as credit cards and addresses, malicious actors could use this data to harmfully impact consumers’ digital identity. Especially on the heels of National Password Day, this exposure is reminder for organizations to implement best practices to ensure their consumer and user data and identities are secure, including:
- Setting access controls for all sensitive databases
- Not reusing passwords and usernames across accounts, especially not between professional and personal accounts
- Enabling multi-factor authentication (MFA)
Furthermore, Freedom Mobile should implement overall identity management security measures within their organization and with third-party providers, such as single sign on (SSO), to prevent future unauthorized access of consumer or employee data. By employing identity management, Freedom Mobile and other organizations with detailed consumer data on file can leverage consumer or employee behavior to learn how individual accounts are accessed and flag irregular activities. Coupling SSO with MFA further protects identities and data by prompting user verification if SSO credentials have been compromised from unauthorized access.”
Amit Sethi, Senior Principal Consultant at Synopsys:
This security lapse illustrates why it is critically important for organisations to analyse their applications’ designs from a security perspective. They need to track all the places where sensitive data can end up and ensure that sufficient protections are in place for the data in all locations. It appears that Freedom Mobile allowed unauthorised access to their logs and didn’t mask sensitive data before it was written to the logs. Moreover, organisations need to have processes in place to quickly respond to security incidents. Taking a week to mitigate a simple issue such as this is unacceptable.”
Sam Curry, Chief Security Officer at Cybereason:
“The Freedom Mobile breach is yet another reminder that this type of data exposure is far too common place, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors. Vendors should heed simple advice and step up to start preventing the hacker advantage as these latest headlines are preventable. Fundamentally, this is a hack that has led to a breach. No more and no less, and how it is handled, the context of it as an incident, the fates of the victims, the response and the future readiness are what matter. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive pay-outs.”
Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:
“Scanning application or system logs to determine errors is a common technique used in IT for decades. It is more common than one might think for logs to output data in plain text unless they were coded not to (or re-coded in the case of legacy applications). Data from logs is mostly used for internal purposes and is typically protected by network segmentation and access controls among other things. With the amount of activity and throughput companies process daily, self-monitoring through scanning logs can help organizations quickly identify problems and provide a focus for troubleshooting.
However, when it comes to data security and privacy, sometimes when companies can take the right actions, and things can still go wrong. A data-focused approach towards data security may help reduce the possibility of data exposure such as this case. When organizations go through the process of looking to determine what sensitive data they have and where it resides, data discovery and data-centric protection working together can be an effective way to shore up these security gaps. Data-centric protection doesn’t care where the data resides, including if data exists on-premise or in a multi-cloud resource. The objective is to protect sensitive data at its earliest point of entry, so even application and systems logs would protect customer data as well.”
