Carrier breach shows the potential peril of third party plugins
U.S. cell carrier Assist Wireless recently suffered a breach that exposed thousands of personal documents on its site by mistake, calling attention to the risks of third parties.
A third-party plugin was responsible for the accidental exposure of thousands of Assist Wireless customer passports, Social Security cards and driver’s licenses.
This data equips fraudsters with all the information they need to take over wireless accounts — but it doesn’t stop there.
This information can be used to access bank accounts and combined with other information on the dark web to access social media profiles, email accounts and more. As the exposed information was directly connected to a user’s cell phone account, fraudsters can make a strong case with Assist Wireless that the phone was lost or stolen, convincing them to activate a new SIM card connected to the legitimate user’s phone number on a phone owned by the fraudster.
This SIM swapping would further grant the fraudster control over the user’s accounts, allowing them to request account verification codes/links be sent to the device. Once logged in, fraudsters can easily transfer money from bank accounts, post offensive content from the user’s social media profiles, send fraudulent emails on behalf of the user and even change passwords to lock legitimate users out entirely.
Even if enterprises have battened down the hatches on their own security, their efforts become meaningless if they do not ensure their vendors have done the same. It is critical enterprises thoroughly vet their selected partners, especially those that handle and manage customer data. This ensures personal information stays with the user and out of the hands of fraudsters.