The personal information of hundreds of thousands of CenturyLink customers was exposed online via an open database that has since been closed.
According to a report by Comparitech, the exposed database contained information such as names, addresses, email addresses, phone numbers and other account-specific information. The database, which is comprised of 2.8 million records, was left open online, and could be accessed by anyone with internet access.
In its report, Comparitech said it discovered the exposed MongoDB on Sept. 15 by working with security researcher Bob Diachenko. Diachenko immediately contacted CenturyLink after the discovery was made. The data base opening was closed on Sept. 17.
"Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident," a CenturyLink spokesman said in an email to FierceTelecom. "The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. We will continue to work to protect customer information. CenturyLink takes the protection of our customers’ information seriously, and we will work to ensure that we earn our customers’ trust."
CenturyLink's spokesman also said customers were being notified and that it was still conducting its own internal investigation. CenturyLink didn't provide any additional information on the FCC's investigation.
The database logs were first indexed on Shodan on November 17 of last year, which means it could have been exposed for up to 10 months. That opening gave those with malicious intent plenty of time to access and use the compromised data.
On Wednesday, Comparitech received notification that the Federal Communication Commission's investigation into the matter had concluded. After alerting CenturyLink, Comparitech said CenturyLink asked it to hold off publishing its report until after it conducted an internal investigation and referred the issue to the FCC prior to notifying its customers.
The exposed MongoDB was affiliated with a third-party vendor that Comparitech wasn't able to name in its report. The multi-channel notification platform could be used for external and internal communications between customers, technicians and agents.
The type of data that was exposed on the API logs included communications between CenturyLink and its customers that were in plain text and not encrypted, according to Comparitech. The data included the services that each CenturyLink customer subscribed to. Comparitech said it wasn't clear whether the exposed data belonged to residential or business customers, but based on the addresses they appear to be mostly, if not all, residential subscribers.
While the database was comprised of 2.8 million records, Comparitech said some subscribers were the subject of multiple records and therefore estimated number of affected customers was much lower, but still in the hundreds of thousands.
In its report, Comparitech advised that CenturyLink broadband subscribers should be on the look out for targeted phishing schemes and other scams that could be carried out over the phone, email or even direct mail. With personal information in-hand, a scammer would be able to contact a CenturyLink subscriber and pose as a company rep in order to seek information on banking records, account passwords, or credit card numbers.