Connect with us

Hi, what are you looking for?


Data Protection

Canadian Telecom Firm Freedom Mobile Exposed Customer Details

Freedom Mobile, Canada’s fourth largest mobile network operator, through a third-party service provider, exposed the details of many customers, including their payment card data.

Freedom Mobile, Canada’s fourth largest mobile network operator, through a third-party service provider, exposed the details of many customers, including their payment card data.

vpnMentor reported on Tuesday that its researchers had identified an unprotected database storing information on Freedom Mobile customers, including email addresses, phone numbers, home addresses, dates of birth, IP addresses associated with payment methods, credit scores (from Equifax and other companies), unencrypted payment card data with CVV codes, locations and other customer service records, and account details.

vpnMentor claimed the unprotected database stored at least 5 million records associated with as many as 1.5 million users, which is roughly Freedom Mobile’s total number of customers.

However, Freedom Mobile, which is owned by Shaw Communications, said the number is inaccurate. Its investigation revealed that the database stored the details of only 15,000 customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 16.

“Any reference to 1.5 million customers affected is inaccurate – the researchers could be referencing the number of lines of data exposed but it is certainly not a reference to the number of customers affected. If it is a reference to the number of lines of data, it’s worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information,” a Freedom Mobile spokesperson told SecurityWeek.

“We are also seeing data from test accounts, which is to be expected given the new status of the vendor, and data from people who came to stores and applied for service but didn’t complete a transaction,” the company added.

Freedom Mobile blamed the incident on Apptium Technologies, a company recently contracted to help streamline its retail customer support processes.

Advertisement. Scroll to continue reading.

The existence of the unprotected database was reported to the telecom firm on April 18 and the issue was addressed on April 23. The company said it took action after verifying the “legitimacy of the researchers’ emails.”

Freedom Mobile’s investigation, whose goal is to determine the full scope of the incident, is ongoing. The company claims to have notified the Office of the Privacy Commissioner of Canada (OPC).

vpnMentor recently also identified unprotected databases storing the details of customers of Chinese e-commerce company Gearbest and roughly 80 million households in the United States.

Related: Unprotected MongoDB Instance Exposes 800 Million Emails

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Dow Jones Watchlist Found Exposed to Open Internet

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.