AT&T, Verizon Subscribers Exposed as Mobile Bills Turn Up on the Open Web

sprint contractor cell phone bills exposed

Names, addresses, phone numbers, call and text message records and account PINs were all caught up in a cloud misconfiguration.

Hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers have been laid open to anyone with an internet connection, thanks to the oversight of a contractor working with Sprint.

According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers.

Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records. In this case, some of the bills date back to 2015; it’s unclear how long the bucket was exposed.

Also, some of the records were ancillary materials, such as bank statements and screenshots web pages containing subscribers’ online usernames, passwords and account PINs.

Fidus Information Security first uncovered the open database and, unsure of who it belonged to, alerted AWS. The database was subsequently closed off from the open web.

In an investigation, TechCrunch reviewed the cache and found the bucket to belong to Deardorff Communications, a marketing agency that works with Sprint; Deardorff acknowledged the incident and said that there would be an internal investigation and a review of its policies and procedures.

A Sprint spokesperson said that the company was “assured that the error has been corrected.”

Cloud misconfigurations that expose sensitive data have become all too common, according to Jonathan Deveaux, head of enterprise data protection at comforte AG.

“People with good intentions…fail to remember (or simply do not know) that some default configurations at cloud service providers do not ‘turn on’ effective (or even basic) data security — you have to activate security yourself, or only put data that’s already secured in the cloud,” he said via email. “Unfortunately, ‘convenience-first’ and ‘customer-first’ approaches often push ‘security-first’ to a lower priority. People with good intentions are typically just trying to get their jobs done and this is sometimes where an accidental insider event occurs.”

RiskRecon CEO Kelly White noted that the trouble with cloud security becomes exacerbated when considering the supply chain.

“Safely leveraging cloud databases requires very specific, robust operating standards, configuration management procedures, and continuous security configuration monitoring and response processes,” White told Threatpost. “Even if an organization chooses to not leverage certain cloud database technologies due to their inherent hazard, it is certainly the case that their third parties do. Every third-party evaluation should include specific evaluation of their use of cloud databases and the surrounding safety measures.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles