Freedom Mobile hit by data breach,15,000 customers affected. TORONTO — Freedom Mobile confirmed Tuesday it had a data security breach from late March to late April, but the wireless carrier said only about 15,000 customers were affected — far fewer than an outside research firm’s estimate.
The Calgary-based company — which operates networks in Ontario, Alberta and British Columbia — was apparently warned of the breach by researchers at vpnMentor, which announced it to the press.
The vpnMentor report said two of its researchers, Noam Rotem and Ran Locar, had warned Freedom of their findings on April 17, 18 and 23 but didn’t get a response from the company until April 24.
“For ethical reasons, we didn’t download the database, so we don’t know exactly how many people were affected,” the blog said.
Freedom said in an emailed statement that “any reference to 1.5 million customers affected is inaccurate . . . ”
The company said its investigation determined the breach began on March 25 and affected data processed by a new external third-party vendor, Apptium Technologies, that had been hired to streamline its retail customer support.
“The internal systems of Freedom Mobile or (parent) Shaw Communications were not compromised as part of this third-party vendor security exposure,” the company said in a statement.
It said the breach affected customers at 17 retail stores who opened or changed accounts as late as April 15 or made changes to opened accounts on April 16. It said the problem was fixed by April 23.
Freedom also said that it had found no evidence, as of Tuesday, that any data has been misused “and we are conducting a full forensic investigation to determine the full scope of impact.”
Valerie Lawton, of the federal privacy commissioner’s office, said in an email that it had received a breach report related to Freedom Mobile late Monday afternoon.
“Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), includes confidentiality provisions and we don’t have further details to offer at this time,” Lawton said.
Under PIPEDA, which was most recently updated in November, private-sector organizations that control personal information must advise the privacy watchdog of breaches that pose a “real risk of significant harm” to individuals.
They must also notify affected individuals about the breaches and keep records.
However, the Canadian law — in contrast to the European Union’s year-old General Data Protection Regulation — provides more flexibility about when organizations inform the Office of the Privacy Commissioner.
Asked why it didn’t disclose close the leak sooner, the company said it took time to verify the legitimacy of the warning and verify details with its third-party vendor.
A research team recently discovered that Freedom Mobile experienced a huge data breach.
Researchers discovered a breach which exposes up to 1.5 million active Freedom Mobile users’ personal data. Freedom Mobile (formerly Wind Mobile) is Canada’s fourth-largest wireless communications provider.
The team discovered 5 million unencrypted records, but for ethical reasons, did not download the database so cannot provide exact numbers. The company has since claimed that “only” 15,000 records were exposed.
The database was totally unprotected and unencrypted. The data includes credit card and CVV numbers.
Timeline of Breach Discovery and Reaction Freedom Mobile hit by data breach
- April 17: We discover leak in Freedom Mobile’s database.
- April 18: We email Freedom Mobile to inform company of serious data breach. Receives no response.
- April 23: We try to contact Freedom Mobile again.
- April 24: Freedom Mobile finally responds to messages.
- April 24: Freedom Mobile closes data breach.
Examples of Entries in the Database
Similar to Gearbest’s unprotected Elasticsearch database, Freedom Mobile’s database was completely unencrypted. We had full access to more than 5 million records, reflecting up to 1.5 million users.
These records seem to reflect any action taken within a user account, allowing for multiple entries per customer.
Freedom Mobile hit by data breach, The personal data exposed includes:
- email address
- home and mobile phone number
- home addresses
- date of birth
- customer type
- IP address connected to payment method
- unencrypted credit card and CVV numbers
- credit score responses from Equifax and other corporations, with reasons for acceptance/rejection
We could also access account numbers, subscription dates, billing cycle dates, and customer service records including locations.
Some entries also included data from an Equifax database. This included information on credit scores, credit class, and credit card accounts.
Data Breach Impact
Ironically, Freedom Mobile prides itself on offering high levels of privacy. It’s even in their Twitter bio.
However, they clearly shared – and overshared – their customers’ data.
After discovering the data breach, we quickly alerted Freedom Mobile to the issue. When they didn’t immediately respond, we asked contacts at another security site help us reach them in case our emails went to spam. As they eventually replied, we know that this isn’t the case.
For ethical reasons, we didn’t download the database, so we don’t know exactly how many people were affected.
However, we could access at least 5 million unprotected records. Freedom Mobile has at least 1.5 million subscribers, and its parent company is owned by Shaw Communications which has more than 3.2 million customers across Canada. This may the largest breach experienced by a Canadian company.
It’s rare to find a leak which details both credit card information and CVV numbers together, especially in such a large breach.
As this data leak includes unencrypted credit card information, Freedom Mobile is potentially in breach of PCI (Payment Card Industry) compliance rules. This could result in serious real-world impacts for the company as well as its users.
Dangers of Hacks Freedom Mobile hit by data breach
A database full of credit card data, birth dates, full names, addresses, and phone numbers also allows for credit card fraud and identity theft. This could cost users – and their banks and insurance companies – hundreds of thousands of dollars.
An unencrypted database of personalized information is a valuable resource for hackers. Access to addresses, email addresses, phone numbers, and credit data can help malicious actors execute sophisticated phishing schemes.
Credit information also allows for highly targeted ransomware attacks, as bad actors know where they can demand high prices.
Even the most careful user can’t defend itself against a company that saves their data on an unsecured database. The best way we found is to use a temporary card, account, or CVV number connected to your account.