Sprint contractor leaks 261,000 phone bills and bank statements

A total of 261,300 documents containing the personal information of AT&T, Sprint, T-Mobile, and Verizon subscribers from as far back as 2015 have been made publicly available by a Sprint contractor.

As TechCrunch reports, the leak consists mainly of phone bills, which include the name, address, phone numbers, and call histories of customers across the four major networks. However, some of the documents are bank statements alongside screen grabs of usernames, passwords, and PIN numbers.

The leak was discovered by penetration testing company Fidus Information Security and has been tracked back to Sprint contractor and marketing agency Deardorff Communications. It looks to be accidental and is down to a lack of security surrounding the storage of the data.

Sprint collected the documents as part of an offer to US consumers allowing them to switch to Sprint without having to pay any early termination fees. Sprint would pay them for you. The leak occurred because the contractor decided to store the documents in an Amazon Web Services (AWS) storage “bucket,” but didn’t bother to use a password, therefore leaving them publicly available to anyone who cared to look.

Jeff Deardorff, president of Deardorff Communications, has since commented, “I have launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again.”

A Sprint spokesperson confirmed “the error has been corrected,” but what remains unclear is if any of the affected customers are going to be contacted and informed their personal details were shared. So far, only Verizon has confirmed it is currently reviewing what to do.

This article originally published at PCMag
here