A Sprint contractor, Deardorff Communications, stored data containing 261,000 phone bills and bank statements in Amazon Web Services, according to reports.
The contractor made the documents publicly available, exposing Sprint, Verizon, AT&T, and T-Mobile’s customers’ names, addresses, phone numbers, and call histories since 2015. In addition to these sets of data, customer’s bank statements were exposed, as well as usernames, passwords, and PIN numbers—all out for the world to see.
According to Tech Crunch, the ‘storage bucket containing at least 261,000 documents were hosted on Amazon Web Services and was not protected by a password.’ This set up allows anyone to access the data storage. The contractor cannot recall how long the storage bucket was exposed and if there are any data tampering happened.
The UK-based penetration testing company, Fidus Information Security, discovered the leak, which was traced back to Deardorff Communications, which is a Sprint contractor. Experts believe that this incident was accidental and happened due to the ‘lack of security surrounding the storage.’
Fidus was able to contact Amazon to shut down the bucket storage.
Meanwhile, Deardorff Communications President Jeff Deardorff takes charge of the incident and said, “I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again.”
Sprint, on the other hand, has responded with the incident saying, “the error has been corrected.” Lisa Belot of Sprint indicates that the company is doing investigations and corrections to the error. However, it is still unclear whether the parties involved were notified of the incident. In addition, no customers were reported to have reported problems with their personal and bank data. So far, only Verizon has confirmed the incident and is currently reviewing the steps to take and prevent bigger issues.
As part of the no-termination-fee program of Sprint, US customers can easily switch to Sprint without having to pay any fees. The catch is, Sprint will need to collect the customer’s information and documents. With the data leakage, not only Sprint customers were affected but also customers from three other telecommunications companies.
Amazon is also doing something about the incident and recently dropped a hint of Access Analyzer, which is a tool that corrects the configuration of buckets and potentially exposed data, making it easy to block with only a single click.