Workload and Application Security Blog

Sprint Contractor Left Thousands Of Other Vendor's Mobile Phone Bills Exposed on AWS Storage Server

Written by Virsec | Dec 11, 2019 2:02:52 AM

Journal of Cyber Policy, IS Buzz News, December 6, 2019, with comments by Satya Gupta;

Hundreds of thousands of customer phone bills from AT&T, Verizon and T-Mobile were found on an exposed storage server

Last week TechCrunch released news that a Sprint contractor placed hundreds of thousands of cell phone bills belonging to subscribers on an unprotected Amazon AWS server. These bills were for AT&T, Verizon and T-Mobile. 261,300 documents were in the cloud storage bucket, primarily phone bills of these users going back to 2015.

The server had no password restriction so anyone could access the data. How long it was exposed is not known.

The phone bills had been collected for a promotional offer to persuade users switching to Sprint. This was made clear by Sprint documents also found on the server. Sprint would be offering to cover subscriber’s early termination fees if they switched to Sprint.

Among some other more sensitive items found, a document that said “TEST” contained meta data with the name of executive Jeff Deardoff at Deardoff Communications, the agency managing the Sprint promo campaign. Jeff Deardorff, President of the agency, has said his company is doing an internal investigation to identify the cause behind the exposed server, which he admitted Deardorff was responsible for. He also noted that access to the server had been restricted earlier in the day.

Satya Gupta, co-founder and CTO of Virsec comments on this latest data leak:

“We’ve seen this same pattern of carelessness over and over. Far too many people with access to sensitive data can far too easily upload it to AWS or other cloud services, without ensuring basic security. Organizations need to establish much stronger controls on who can setup and access cloud storage. The bar also needs to be much higher for the cloud providers.

AWS and others like to wash their hands of responsibility for customer data saying they have a “shared security model.” But they need to at least provide security by default to reduce the chance of careless errors. We’re already seeing an enterprise backlash against cloud providers, with many businesses moving sensitive data and apps back on-premise. If AWS and others don’t step up, this trend away from the cloud will accelerate.”

Sources:

https://journalofcyberpolicy.com/2019/12/06/news-insights-thousands-u-s-cell-phone-bills-exposed-sprint-contractor-techcrunch/

https://www.informationsecuritybuzz.com/expert-comments/sprint-contractor-left-aws-bucket-containing-thousands-of-mobile-phone-bills-exposed/

 

Further resources:

Capital One Experiences Third Largest Financial Hack from AWS Insider

Researchers find 7% of all Amazon servers exposed