According to their website, Assist Wireless offers affordable Lifeline wireless phone service for individuals and families who have a low income and/or qualify for government assistance or Veterans programs.
It turns out that Assist Wireless' website was leaking customer data: driver licenses, passports and Social Security cards. Customers used social security cards to verify their eligibility to sign up for a free phone and plan. A security research by the name of John Wethington (@Shadow0pz on Twitter) found the exposed documents through a simple search using Google.
Avi Shua, CEO and Co-founder, Orca Security, provided his expert take on the common problem exemplified by this recent breach:
“The Assist Wireless data breach was not a new or sophisticated hack. It was simply the latest example in a long line of breaches stemming from organizations not realizing which folders, workloads or assets they have connected to the internet or hosted by third-parties, and not having the proper credentials or multi-factor authentication in place to protect them.
For example, our State of Public Cloud Security Report found that 80 percent of organizations had an internet-facing service running on unpatched or unsupported Operating Systems. This simple error could be a disastrous mistake. It’s also an important reminder to always deploy cloud security early and in a way that provides continuous comprehensive visibility and yet doesn’t interfere with the development process.”