A database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, was just found online.
The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.
The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.
Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts.
Joseph Lorenzo Hall, Senior Vice President at Internet Society had the following to say:
Another data breach of massive proportions due to incompetence on behalf of a service provider. This is increasingly common and definitely unacceptable in terms of running a modern service… this is the exact opposite of an important concept of data stewardship, or “business data hygiene”. You just don’t leave data like this lying around!
It’s particularly unfortunate it was business SMS text messages here. SMS is a very useful technology as everyone who has a mobile phone has this capability, but it also means that this will affect a broad swath of society.
SMS text messages are highly insecure: they are not authenticated — they can easily be spoofed — and they are not confidential — meaning they can be eavesdropped upon and even changed in transit. Unfortunately more secure options don’t work across Android and iOS, although this is being worked on.
This is a good case study for businesses to attempt more secure messaging options with their customers, using custom WhatsApp, Signal, or other technologies.
It’s crucial that victims in this database are notified so that they can be aware of any potential threats that might include changing their passwords or other ways of taking over online accounts, which is a big focus of cybercriminals.
I would expect and urge attention by state Attorneys General as if this breach results in actual financial or physical harm, this company will likely be sued out of existence for this kind of colossal mistake! Some mistakes a business should not be able to escape from given their consequences.
Join others with $8.5B+ in IT buying power who plan 2020 budgets! Including 3,000+ resellers!
Feb 12-14, 2020, Fort Lauderdale, FL. Register now.