- The personal data of hundreds of thousands of cell subscribers was left exposed on an unprotected server.
- The exposure, first reported by TechCrunch, occurred after a contractor working with Sprint left subscribers' phone bills unprotected on a server hosted by Amazon Web Services.
- Phone bills affected by the exposure included subscribers of Sprint, AT&T, Verizon, and T-Mobile.
- Visit Business Insider's homepage for more stories.
Hundreds of thousands of cell subscribers' personal information was accidentally left unprotected on a cloud server hosted by Amazon Web Services, according to a report from Fidus Information Security.
The data exposure includes names, addresses, phone numbers, and users' call histories, TechCrunch first reported. Some users' login information, including usernames, passwords, and PINs, were also exposed. Phone bills affected by the exposure included those from subscribers of AT&T, Verizon, and T-Mobile, which were in Sprint's possession because of a promotion in which Sprint compared its prices to users' current cell plans.
It's not clear whether hackers accessed the data while it was exposed. Sprint did not immediately respond to Business Insider's request for comment, but a Sprint spokesperson told TechCrunch that "the error has been corrected."
The server was owned by a third-party contractor working with Sprint, and was hosting phone bills of users switching from other cell providers to Sprint. That third-party contractor was marketing firm Deardorff Communications, president Jeff Deardorff confirmed to TechCrunch.
Data exposures are a fairly common security risk in the realm of cloud storage. This risk is especially heightened when data is being shared with third-party contractors, who are less likely to possess the security infrastructure and know-how to protect user data, according to cybersecurity experts.
"Cloud data storage systems are inherently dangerous ... safely leveraging cloud databases requires very specific, robust operating standards," Kelly White, CEO of cyber risk software company RiskRecon, told Business Insider. "Even if an organization chooses to not leverage certain cloud database technologies due to their inherent hazard, it is certainly the case that their third-parties do."How to find out if you're affected
Federal rules require companies to inform customers when their personal data is affected by an exposure. However, it's unclear whether Sprint or the third party, Deardorff Communications, is assuming responsibility for that role (a Deardorff Communications spokesperson did not immediately respond to Business Insider's request for comment).
As such, if you're a Sprint customer or someone who considered switching to Sprint, the simplest way to find out if you're affected is to contact Sprint directly.
If you aren't a Sprint customer and never participated in a Sprint promotion to compare your phone bill to Sprint's prices, you're most likely unaffected by the exposure.
Just to be safe, it's wise to change the password and PIN associated with your cell provider.
- The FBI just issued a warning about the risks of owning a smart TV — here are its suggestions for protecting your privacy
- Read the full transcript of Amazon CEO Jeff Bezos and his top executive team's leaked responses to employee questions from its internal all-hands meeting
- A security expert found that Apple's latest iPhone can still track your location data, even if you toggle it off for every app