Here's What Happens When a Sprint Contractor Exposes AT&T, T-Mobile, and Verizon Bills
On its website (which, on an unrelated note, is loaded through HTTP, and not HTTPS), Deardorff Communications, a marketing and communications company based in Georgia, says that its team is highly experienced in a variety of fields, including strategic planning, sales, advertising, etc. Unfortunately, when it comes to configuring Amazon Web Service storage buckets, their expertise is lacking a bit.
A Deardorff employee put a little over a quarter of a million documents in an Amazon S3 bucket, failed to set a password, and forgot to change the accessibility settings from "public" to "private". As a result, the bucket, along with all the files in it, could be viewed from anywhere in the world. Not surprisingly, at one point, researchers from a penetration testing company called Fidus Information Security, the same people who revealed a security flaw in the Vatican's new eRosary as well as a data leak by Magic: The Gathering's publisher, ended up looking at Deardorff's bucket.
Phone bills and plenty of sensitive information left out in the open
There were a little over 260 thousand documents in the bucket, and the majority of them were cell phone bills that belonged to AT&T, T-Mobile, and Verizon subscribers. Deardorff collected all these files because Sprint, one of their biggest customers, wanted to persuade subscribers to change their cell phone service provider. According to one of the documents, Sprint was even prepared to pay the early termination fees, just to ensure that more people are using its services.
The phone bills themselves reveal quite a lot of personal information and contact details, and they also often contain call logs, which some people probably prefer not to share with the rest of the world. In addition to all this, the researchers also found a bank statement and a screenshot that revealed the online usernames, passwords, and PINs of an unknown number of subscribers.
At first, it wasn't clear who had exposed the data. Shortly after finding the bucket, the experts notified Amazon, which got in touch with the data's owner and had it taken offline. For legal reasons, however, Amazon refused to tell Fidus who was responsible for the leak.
The data was shared with Zack Whittaker from TechCrunch, though, who ran some of the files through a metadata checker and learned that it was probably owned by Deardorff. Jeff Deardorff, the marketing company's president, admitted that one of his employees was responsible for the leak and promised that he'd do what he can to figure out what went wrong and what can be done to prevent similar incidents in the future.
Data leaks like this are far too common
Some of you might say that this is far from the most horrific data security incident and that many other documents can be far more dangerous. A quick look at your latest regular phone bill reveals, however, that what looks like an innocuous piece of paper actually contains information that can easily lead to identity theft. In this particular case, Deardorff also revealed subscribers' passwords and PIN numbers, which increases the risk of attacks like SIM swapping and credential stuffing.
The real problem is that similar leaks happen on a daily basis. More often than not, they are caused by easily avoidable and fairly simple configuration mistakes, but lack of education means that IT people don't know what to do when they're tasked with securely storing users' data.
Deardorff didn't say when the bucket was first opened to the public, and nobody can confirm whether or not cybercriminals managed to get to it before it was taken offline. Zack Whittaker asked AT&T, Verizon, and T-Mobile for further comment, but he received nothing substantial, most likely because the three telecommunication providers simply don't have anything to add. The upshot is, we don't know how many people were potentially affected by the leak, which means that if you're an AT&T, Verizon, or T-Mobile subscriber or if you have switched from them to Sprint, you might want to watch out for any signs of fraud or identity theft.