Wireless Provider Openly Shares Private Data Of Subscribers
from the whoops-a-daisy dept
Editor's Note, May 7, 2021 Q Link Wireless has contacted us to dispute that the privacy failure impacted Q Link customers, stressing that its Hello Mobile brand is separate from Q Link. We will note that the two companies are connected, as Q Link made clear in its press release announcing its “new prepaid phone brand, Hello Mobile,” stating that the CEO of both companies is the same, Issa Asad. Both companies are listed in the FCC’s telecommunications companies database as having the same address and being owned by the same parent firm, Quadrant Holdings, which also has the same CEO, Issa Asad. The “My Mobile” iOS app Ars Technica revealed to have exposed consumer data is listed as having been developed by Q Link Wireless. The maker of the corresponding Android app is a separate company, Vector Holdings. According to publicly filed FCC documents, Vector Holdings is also a subsidiary of Quadrant Holdings and run by Issa Asad. We have updated the post to reflect that the public evidence shows the data being exposed specifically for Hello Mobile users.
Another day, another notable privacy scandal we won't do much about.
Q Link Wireless's Hello Mobile service is the latest company to be under fire for particularly lax security and privacy standards after it was found to have exposed the private data of its wireless customers. The company's My Mobile Account app (for iOS and Android) is supposed to let subscribers monitor their wireless accounts, while letting them track remaining data allotments and buy more data when needed. But for users, the app also displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out.
And all of this data was left openly exposed for anybody to access, provided you had the phone number of any Hello Mobile customer.
The problem was first spotted by Reddit users and subsequently confirmed by Ars Technica:
"Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That’s right—no password or anything else required.
When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate."
It's not clear how long this screw up has been live, but complaints began popping up on Reddit sometime last year. When Ars reached out to the company it couldn't be bothered to respond:
"I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn’t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers."
It's worth noting that Q Link Wireless customers are generally lower-income users enrolled in the FCC's Lifeline program (which doles out a modest $9.25 monthly subsidy to be used for wireless, wired broadband, or phone service) and as such are potentially the least likely to be able to afford issues related to identity theft and fraud. Also worth reminding folks: in 2015 the FCC passed some relatively basic broadband privacy rules that were subsequently demolished by the GOP at the behest of the telecom lobby before they could take effect. So, good job all around, I guess.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data leak, exposed data, privacy, security
Companies: q link wireless
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hall of Shame
It seems like we hear about this kind of thing every week. I wonder if someone has put together a list of companies, their failure(s), and what/if they have done anything to address it since. It'd be nice to do a quick privacy/security background check on a company before entering into a contract with them.
[ link to this | view in chronology ]
Re: Hall of Shame
The problem is they have all done it.
This is made that much worse because the victims aren't photogenic enough to inspire outrage.
We can't even get laws demanding basic security standards with penalties for failing to follow them despite the huge failures over & over & over.
[ link to this | view in chronology ]
Re: Re: Hall of Shame
but like Celyxise said, the issue isn't who's done it. The issue is, how did they respond when the issue was discovered?
I've seen everything from a public RCA that determines what went wrong at what levels of process and what was done to fix each of those issues, to... crickets.
I have no problems working with companies that make mistakes and leak PII. I have PLENTY of issues with companies that do it and care more about covering it up than protecting their customers going forward. Because if I am going to be a customer, I want to know they've already learned from their past mistakes.
[ link to this | view in chronology ]
Does Q Link Wireless consider the real scandal to be the fact that they're not being paid for all the leaked private information?
[ link to this | view in chronology ]
Re:
Their shareholders certainly would be ill pleased for the lack of proper monetization, i'm sure.
[ link to this | view in chronology ]
Still waiting for this to hit the fan.
If everyone's data is dumped to the net, and anyone can use it.
The banks are going to have Soo much fun.
The gov is going to hate this to the max(headroom).
How to prove who is who and who used your credit card.
Star card anyone?
Tattoo? Embedded chip anyone?(I feel like my dog) Perfect Facial ID?
Let take pictures of every transaction that can be made. Oops Google/amazon/FB/.. is going to have Fun with this .
[ link to this | view in chronology ]
Class action lawsuit?
This is happening to me right now. I've talked to three people. I talked to the person whose number I had. I can see all her texts. I told her everything. I wonder if someone has my number.
This is huge! Major privacy violation. What if someone got a very personal, sensitive text.
I would think there are attorneys that wouldn't charge a retainer, and only take money if they win.
[ link to this | view in chronology ]