Wireless Provider Openly Shares Private Data Of 2 Million Subscribers
Another day, another notable privacy scandal we won't do much about.
Q Link Wireless is the latest company to be under fire for particularly lax security and privacy standards after it exposed the private data of its 2 million wireless customers. The company's My Mobile Account app (for iOS and Android) is supposed to let subscribers monitor their wireless accounts, while letting them track remaining data allotments and buy more data when needed. But for users, the app also displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out.
And all of this data was left openly exposed for anybody to access, provided you had the phone number of any of Q Link Wireless' 2 million subscribers.
The problem was first spotted by Reddit users and subsequently confirmed by Ars Technica:
"Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That's right-no password or anything else required.
When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate."
It's not clear how long this screw up has been live, but complaints began popping up on Reddit sometime last year. When Ars reached out to the company it couldn't be bothered to respond:
"I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn't respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers."
It's worth noting that Q Link Wireless customers are generally lower-income users enrolled in the FCC's Lifeline program (which doles out a modest $9.25 monthly subsidy to be used for wireless, wired broadband, or phone service) and as such are potentially the least likely to be able to afford issues related to identity theft and fraud. Also worth reminding folks: in 2015 the FCC passed some relatively basic broadband privacy rules that were subsequently demolished by the GOP at the behest of the telecom lobby before they could take effect. So, good job all around, I guess.