Sprint is a cell giant company that provides wireless services and is an internet service provider. A contractor working for Sprint stored hundreds of thousands of Verizon, AT&T, and T-Mobile cell phone bills on an unprotected cloud server. There were more than 261,300 documents in the processing bin. The majority of which were mobile phone bills dating back to 2015. But the storage bucket, presented on the Amazon Web Services (AWS), wasn’t password-protected and also allowed anybody to access the inside data. According to the Sprint brand documents found on the server, these bills-containing names, addresses, and phone numbers, and many included call logs-were collected as part of the offer to enable mobile subscribers to switch to Sprint. These documents explain how the cell giant pays subscribers’ early termination fees to disrupt their current cell service contracts, a sales strategy commonly used by cell providers.
In some circumstances, sensitive documents were found, including a bank statement and a screenshot of a web page that had usernames, account PINs, and passwords of subscribers. These data could allow access to a customer’s account. Fidus Information Security, a UK-based penetration testing firm, noticed the exposed data as it was not cleared immediately. The firm reported to Amazon regarding security lapse, which was further informed to customers. Also, the storage bucket was closed.
After a brief review of the cache, it was noticed that a document that simply said, “TEST” was run through the metadata checker. It revealed the person’s name who created the document. The person is an account executive of a marketing agency, Deardorff Communications, responsible for Sprint promotions. When reached, Deardorff Communications president, Mr. Jeff Deardorff confirmed that his company owned the bucket. Earlier on Wednesday, access for the bucket was restricted. He said in an email to TechCrunch (owned by Verizon) that he has conducted an investigation internally to determine the root cause of this problem. Also, the agency is updating its procedures and policies to avoid similar mistakes further.