Security researchers recently discovered an unsecured and unencrypted online database owned by South African ICT company Conor that contained deeply personal and highly sensitive information of hundreds of thousands of mobile subscribers based in many countries.
In an indication of how lax security policies implemented by data controllers and data processing companies can put the security and privacy of millions of people at serious risk of exposure, researchers Noam Rotem and Ran Locar at VpnMentor noted that the Conor database "exposed all internet traffic and activity" of mobile users as well as "highly sensitive and private activity, including pornography".
Conor, the South African ICT company that owns the unsecured database, offers various software products to a large number of ISPs located in Africa and South America. Products offered by the company pertain to finance, mobile internet, SMEs, and data monetization, and over 80 million mobile subscribers use the company's products.
The researchers observed that the unsecured database was being constantly updated with user activity logs from multiple countries by Conor and contained over 1 million records that took up about 900GB of space.
The information was likely collected by proprietary software developed by Conor that was being used by ISPs to filter web traffic and to regulate users' access to certain websites and types of online content.
Exposed Conor database could allow criminals to dox and blackmail mobile users
Information stored in the database included full URLs of websites visited by users, the amount of time each visitor spent on a website, the volume of data transferred per session, index names that allow easy identification of daily activity, IP addresses, and apps used by subscribers such as iCloud, Google Maps, Microsoft apps, Facebook, and WhatsApp.
The researchers found that using the information available in the database, they could accurately find out social media profiles of mobile subscribers, view their detailed online activities, and create their detailed digital profiles.
"The greatest risk in this breach is to the people whose data was exposed. The database contained live traffic logs of all their online activities, along with PII of users. This means there is zero privacy for those affected. The leak made them vulnerable to a wide range of online attacks and fraud. These could have devastating effects, both personally and financially," the researchers noted in a blog post.
"Not only was our team able to view a user’s online activity but with the PII revealed in the database, we were able to find their social media accounts. This is known as doxing: using known data about a person to discover and expose their identity. Doxing is often done with malicious intent, with the exposed person subsequently targeted for bullying and harassment.
"With access to a person’s porn history, hackers and cybercriminals could target them for bullying, or worse, blackmail and extortion. Many people would be deeply embarrassed by their porn search history, and cybercriminals know this. By threatening to expose a victim’s online porn activity to their families or work colleagues, criminals could extort large sums of money from them," they added.
The researchers said that news of the massive exposure of highly sensitive customer records may severely tarnish the reputation of over a dozen ISPs operating in Africa and South America and may also make them vulnerable to loss of business or legal action.
The exposure may also affect Conor's relationship with over a dozen ISPs who may be reluctant to use the ICT company's products in the future and may also demand compensation from the company, VpnMentor noted.
Conor reiterates its compliance with stringent data security requirements
Adapt IT, the parent company of Conor Solutions, said that it became aware of the data exposure after the publication of VpnMentor's findings but said that critical customer data like information about children, financial information or passwords of mobile subscribers were not compromised due to the exposure.
"On 10 December, Adapt IT was approached by local news agencies who had been alerted by vpnMentor of the portal’s existence. vpnMentor allegedly accessed the portal and extracted data in a report format, which may have exposed the (i) mobile numbers; (ii) names; and (iii) partial Internet usage activity (including IP addresses or domains visited), excluding encrypted usage, of customers using this service for a limited duration," said Sbu Shabalala, CEO of Adapt IT.
"Adapt IT has contacted the affected customers directly and no further action is required from our customers. As the portal had been terminated before Adapt IT became aware of the possible access, no further preventative measures are required.
"The business holds itself to best practices with regards to the protection of personal information. Even though it is not yet a legal requirement, Adapt IT’s systems are in line with the Protection of Personal Information Act. We always conduct ourselves in a responsible manner when collecting, processing, and storing any entity’s information. Protecting our clients’ confidential information is a key priority for us," he added.