Freedom Mobile leaked millions of card data with CVV codes in plain text

The company claims it does not share user data with others but looks like it does.

Another day, another data breach; this time an unprotected database has been discovered leaking personal and financial data of millions of Canadians.

Identified by researchers at vpnMentor along with hacktivists Noam Rotem and Ran Locar; the database belonged to Freedom Mobile which happens to be Canada’s fourth largest wireless telecommunications provider with over 1,516,256 active subscribers.

See: breach: Database with 2 billion records leaked

In total, researchers managed to access more than 5 million records containing information of up to 1.5 million users. The database was hosted on Elasticsearch server which was left completely unprotected without any authentication allowing anyone including malicious elements to access the sensitive data.

According to vpnMentor’s blog post, the exposed records contained full names, email addresses, home and mobile numbers, home addresses, date of birth, customer type, IP addresses linked to the payment method, credit card and their CVV numbers in plain text, account numbers, billing cycle dates, subscription dates and customer service records including locations.

Freedom Mobile leaked millions of card data with CVV codes in plain text
Screenshot of the leaked data (Image credit: vpnMentor)

“This may the largest breach experienced by a Canadian company,” researchers believe.

What may upset many is that the database also contained credit score responses from Equifax and other companies. It is also worth mentioning that in 2017, Equifax suffered a massive data breach in which 143 million Americans, which is over 40% of the entire population of the United States had their highly sensitive, personal and financial data stolen by unknown hackers.

What’s further upsetting is that although Freedom Mobile publically states that it does not share user data with third parties, vpnMentor’s researchers found out that the:

“They clearly shared – and overshared – their customers’ data.”

Freedom Mobile leaked millions of card data with CVV codes in plain text
Freedom Mobile’s Twitter account claims the company does not share user data.

Good news is that on April 18th, vpnMentor’s researchers contacted Freedom Mobile about the breach and on April 24th, the company successfully managed to remove the exposed database.

However, the nightmare for Freedom Mobile does not end here as according to rules, Canadian businesses who deal in credit card information of any kind must comply with the data security guidelines established by the Payment Card Industry (PCI).

See: Dark Web hacker selling 126M accounts stolen from new data breaches

If you are a Freedom Mobile’s customer it is time to get in touch with the company and inquire how it uses your personal data. As for vpnMentor, this is not the first time when researchers have identified a large scale data breach. Just a week ago, the company identified a sensitive database with 80 million US households exposed online on a Microsoft cloud server.

Give vpnMentor a thumbs up and follow their guide to securely protect your online data and transactions.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts