Assist Wireless LLC, a U.S. mobile virtual network operator that provides phone services to the underprivileged with government support, has suffered a data breach with customer records found exposed online.
The exposed customer data was discovered by security researcher John Wethington and first reported today by TechCrunch. Remarkably the data itself was found through a simple Google search result and included tens of thousands of customer documents, including driver licenses, passports and Social Security numbers that customers used to verify their eligibility for a free phone and plan.
Before going public, TechCrunch reached out to Access Wireless and the documents have been removed. The company had not published a breach disclosure on its website at the time of writing but did confirm the leak. It said it was the result of the third-party plugin Imagify placing backups of images in a separate folder that was not secure.
“Assist Wireless takes security and consumer data very seriously,” the carrier told TechCrunch. “We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward.”
Robert Prigge, chief executive officer of identity verification solutions company Jumio Corp. told SiliconANGLE that the data equips fraudsters with all the information they need to take over wireless accounts, but it doesn’t stop there.
“This information can be used to access bank accounts and combined with other information on the dark web to access social media profiles, email accounts and more,” he said. “As the exposed information was directly connected to a user’s cell phone account, fraudsters can make a strong case with Assist Wireless that the phone was lost or stolen, convincing them to activate a new SIM card connected to the legitimate user’s phone number on a phone owned by the fraudster.”
That’s worrisome, he added, because “this SIM swapping would further grant the fraudster control over the user’s accounts, allowing them to request account verification codes/links be sent to the device. Once logged in, fraudsters can easily transfer money from bank accounts, post offensive content from the user’s social media profiles, send fraudulent emails on behalf of the user and even change passwords to lock legitimate users out entirely.”
This article originally appeared in SiliconAngle.