Analysts at Fidus Information Security, a UK-based penetration testing firm, discovered an Amazon Web Services (AWS) bucket unprotected on the internet. The find contained more than 260,000 documents belonging to cell phone customers from most of the major carriers, including AT&T, Verizon, and T-Mobile.
The vast majority of the files were phone bills dating as far back as 2015, which exposed subscribers' names, addresses, phone numbers, and call histories. Other sensitive documents were found on the vulnerable server as well, including at least one bank statement and a screenshot of a webpage containing subscribers' usernames, passwords, and account PINs.
Fidus was not able to immediately identify the owner of the exposed server, so it notified AWS of the leak. Amazon contacted the customer without revealing its identity, and the bucket was shutdown.
Perhaps the fact that Sprint subscribers were nearly absent in the cache of documents (only a few bills from the carrier were found) was a clue as to who was behind the exposure, but it was purely circumstantial.
TechCrunch was able to briefly look through some of the documents and discovered one that just said "TEST." Running the file through a metadata checker revealed the name of a Deardorff Communications account executive. Deardorff is a marketing agency that handles Sprint promotions.
The documents were likely used as proof of existing coverage so that Sprint could pay off cancellations fees of switching subscribers. Pretty much all of the telecoms will do this to poach customers from each other.
Jeff Deardorff, the CEO of the marketing firm, confirmed that his company owned the AWS bucket and said they restricted access to it on Wednesday when they were notified.
"I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn't happen again," Deardorff told TC.
When approached, AT&T and T-Mobile did not comment. A spokesman for Verizon, which owns TechCrunch, said the telecom provider is "currently reviewing" the situation and would have more details as it uncovered them.
Sprint, which ultimately is responsible for the data, even if only by proxy, would not disclose the nature of its ties to Deardorff Communications. However, a spokesperson said, "[Sprint has been] assured that the error has been corrected."