Freedom Mobile, Canada’s fourth largest mobile network operator, through a third-party service provider, exposed the details of many customers, including their payment card data.
vpnMentor reported on Tuesday that its researchers had identified an unprotected database storing information on Freedom Mobile customers, including email addresses, phone numbers, home addresses, dates of birth, IP addresses associated with payment methods, credit scores (from Equifax and other companies), unencrypted payment card data with CVV codes, locations and other customer service records, and account details.
vpnMentor claimed the unprotected database stored at least 5 million records associated with as many as 1.5 million users, which is roughly Freedom Mobile’s total number of customers.
However, Freedom Mobile, which is owned by Shaw Communications, said the number is inaccurate. Its investigation revealed that the database stored the details of only 15,000 customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 16.
“Any reference to 1.5 million customers affected is inaccurate – the researchers could be referencing the number of lines of data exposed but it is certainly not a reference to the number of customers affected. If it is a reference to the number of lines of data, it’s worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information,” a Freedom Mobile spokesperson told SecurityWeek.
“We are also seeing data from test accounts, which is to be expected given the new status of the vendor, and data from people who came to stores and applied for service but didn’t complete a transaction,” the company added.
Freedom Mobile blamed the incident on Apptium Technologies, a company recently contracted to help streamline its retail customer support processes.
The existence of the unprotected database was reported to the telecom firm on April 18 and the issue was addressed on April 23. The company said it took action after verifying the “legitimacy of the researchers’ emails.”
Freedom Mobile’s investigation, whose goal is to determine the full scope of the incident, is ongoing. The company claims to have notified the Office of the Privacy Commissioner of Canada (OPC).