- The personal data of hundreds of thousands of cell subscribers was left exposed on an unprotected server.
- The exposure, first reported by TechCrunch, occurred after a contractor working with Sprint left subscribers’ phone bills unprotected on a server hosted by Amazon Web Services.
- Phone bills affected by the exposure belonged to subscribers of Sprint, AT&T, Verizon, and T-Mobile.
- Visit Business Insider’s homepage for more stories.
Hundreds of thousands of cell subscribers’ personal information was accidentally left unprotected on a cloud server hosted by Amazon Web Services, according to a report from Fidus Information Security.
The data exposure includes names, addresses, phone numbers, and users’ call histories, TechCrunch first reported. Some users’ login information, including usernames, passwords, and PINs, was also exposed. Phone bills affected by the exposure included those of subscribers of AT&T, Verizon, and T-Mobile, which were in Sprint’s possession because of a promotion in which Sprint compared its prices to users’ current cell plans.
It’s not clear whether hackers accessed the data while it was exposed. A Sprint representative told Business Insider that “the error has been corrected.”
The server was owned by a third-party contractor working with Sprint, and it was hosting phone bills of users switching from other cell providers to Sprint. That third-party contractor was the marketing firm Deardorff Communications, its president, Jeff Deardorff, confirmed to TechCrunch.
Data exposures are a fairly common security risk in the realm of cloud storage. This risk is especially heightened when data is being shared with third-party contractors, which are less likely to possess the security infrastructure and know-how to protect user data, according to cybersecurity experts.
“Cloud data storage systems are inherently dangerous … safely leveraging cloud databases requires very specific, robust operating standards,” Kelly White, the CEO of the cyberrisk software company RiskRecon, told Business Insider. “Even if an organisation chooses to not leverage certain cloud database technologies due to their inherent hazard, it is certainly the case that their third-parties do.”
How to find out whether you’re affected
Federal rules require companies to inform customers when their personal data is affected by an exposure. According to Sprint, all impacted customers will be notified, but it’s unclear whether Sprint or the third party, Deardorff Communications, is assuming responsibility for that role (a Deardorff Communications representative did not immediately respond to Business Insider’s request for comment).
As such, if you’re a Sprint customer or someone who considered switching to Sprint, the simplest way to find out whether you’re affected is to contact Sprint directly.
If you aren’t a Sprint customer and never participated in a Sprint promotion to compare your phone bill to Sprint’s prices, you’re most likely unaffected by the exposure.
Just to be safe, it’s wise to change the password and PIN associated with your cell provider.
Business Insider Emails & Alerts
Site highlights each day to your inbox.