Wireless Provider Openly Shares Private Data Of Subscribers
from the whoops-a-daisy dept
Editor's Note, May 7, 2021 Q Link Wireless has contacted us to dispute that the privacy failure impacted Q Link customers, stressing that its Hello Mobile brand is separate from Q Link. We will note that the two companies are connected, as Q Link made clear in its press release announcing its “new prepaid phone brand, Hello Mobile,” stating that the CEO of both companies is the same, Issa Asad. Both companies are listed in the FCC’s telecommunications companies database as having the same address and being owned by the same parent firm, Quadrant Holdings, which also has the same CEO, Issa Asad. The “My Mobile” iOS app Ars Technica revealed to have exposed consumer data is listed as having been developed by Q Link Wireless. The maker of the corresponding Android app is a separate company, Vector Holdings. According to publicly filed FCC documents, Vector Holdings is also a subsidiary of Quadrant Holdings and run by Issa Asad. We have updated the post to reflect that the public evidence shows the data being exposed specifically for Hello Mobile users.
Another day, another notable privacy scandal we won't do much about.
Q Link Wireless's Hello Mobile service is the latest company to be under fire for particularly lax security and privacy standards after it was found to have exposed the private data of its wireless customers. The company's My Mobile Account app (for iOS and Android) is supposed to let subscribers monitor their wireless accounts, while letting them track remaining data allotments and buy more data when needed. But for users, the app also displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out.
And all of this data was left openly exposed for anybody to access, provided you had the phone number of any Hello Mobile customer.
The problem was first spotted by Reddit users and subsequently confirmed by Ars Technica:
"Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That’s right—no password or anything else required.
When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate."
It's not clear how long this screw up has been live, but complaints began popping up on Reddit sometime last year. When Ars reached out to the company it couldn't be bothered to respond:
"I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn’t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers."
It's worth noting that Q Link Wireless customers are generally lower-income users enrolled in the FCC's Lifeline program (which doles out a modest $9.25 monthly subsidy to be used for wireless, wired broadband, or phone service) and as such are potentially the least likely to be able to afford issues related to identity theft and fraud. Also worth reminding folks: in 2015 the FCC passed some relatively basic broadband privacy rules that were subsequently demolished by the GOP at the behest of the telecom lobby before they could take effect. So, good job all around, I guess.
Filed Under: data leak, exposed data, privacy, security
Companies: q link wireless