TechCrunch first reported that U.S. cell carrier Assist Wireless left tens of thousands of personal customer documents on its website by mistake.
According to their website, Assist Wireless offers affordable Lifeline wireless phone service for individuals and families who have a low income and/or qualify for government assistance or Veterans programs.
It turns out that Assist Wireless' website was leaking customer data: driver licenses, passports and Social Security cards. Customers used social security cards to verify their eligibility to sign up for a free phone and plan. A security research by the name of John Wethington (@Shadow0pz on Twitter) found the exposed documents through a simple search using Google.
Avi Shua, CEO and Co-founder, Orca Security, provided his expert take on the common problem exemplified by this recent breach:
“The Assist Wireless data breach was not a new or sophisticated hack. It was simply the latest example in a long line of breaches stemming from organizations not realizing which folders, workloads or assets they have connected to the internet or hosted by third-parties, and not having the proper credentials or multi-factor authentication in place to protect them.
For example, our State of Public Cloud Security Report found that 80 percent of organizations had an internet-facing service running on unpatched or unsupported Operating Systems. This simple error could be a disastrous mistake. It’s also an important reminder to always deploy cloud security early and in a way that provides continuous comprehensive visibility and yet doesn’t interfere with the development process.”
###