Details related to more than 4 million Time Warner Cable customers were exposed online in a major data breach, according to a report from Kromtech Security, but it was a partner of the US cable operator, rather than TWC itself, that was at fault, according to the security export.
According to a report published on Kromtech's MacKeeper Security Research Center, two cloud-based data repositories managed by BroadSoft Inc. that contained sensitive customer information were configured to enable public access, leaving the information exposed.
Kromtech notes that among the data exposed to public access was a "User Profile Dump" dated 7 July 2017 that contained "more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more. Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers."
The Kromtech team alerted BroadSoft using an email address found in one of the repositories, which were hosted by Amazon Web Services (AWS). One of the repositories was secured almost immediately following the email warning, despite claims by an India-based BroadSoft engineer (in an email response to Kromtech) that the repository had nothing to do with the cloud-based unified comms specialist. The second repository was secured later following an email notification to TWC, which is now owned by Charter Communications Inc. (See Meet the New Charter and Charter Seals Deals for TWC, Bright House .)
The information exposed appears to be related to TWC customers that had used the MyTWC app, which was developed by BroadSoft. Charter and BroadSoft have acknowledged the breach and informed Reuters that an investigation is underway, though the data does not appear to have been accessed by any other parties.
The exposure couldn't have come at a worse time for BroadSoft, which is scouring the market for a potential buyer. (See 'For Sale' Rumor Lights Fire Under Broadsoft's Stock.)
BroadSoft has hundreds of network operator customers, all of which will be wondering if any of their data is being held in exposed databases. While it's unlikely that multiple BroadSoft customers have anything to worry about, this incident will undermine confidence in the unified comms specialist and make potential suitors wary about potential security breaches that could, in the future, lead to legal action and compensation claims.
It's also another reminder of how easily data can be rendered insecure through poor processes and how information related to millions of individuals is managed not only by the companies that bill them but also by third party partners, adding to the risk of security slip-ups or breaches.
— Ray Le Maistre, , International Group Editor, Light Reading