A data breach between late March and late April of this year affected 15,000 Freedom Mobile customers, the company confirmed on Tuesday.
The confirmation comes after a blog post by vpnMentor, which said its cybersecurity researchers had discovered the breach and claimed that 1.5 million customers had been affected.
“Freedom Mobile’s database was completely unencrypted,” the blog post said. “We had full access to more than 5 million records, reflecting up to 1.5 million users.”
And while Freedom Mobile confirmed it had been contacted by the researchers regarding their findings, it noted the size of the breach was much smaller than reported.
In a statement to Daily Hive, Freedom Mobile’s Vice President of External Affairs Chethan Lakshman said once the legitimacy of the researchers’ emails was verified, “the third-party vendor rectified the situation identified by the cybersecurity researchers and we began an investigation immediately.”
However, “any reference to 1.5 million customers affected is inaccurate.”
In their determining of the size of the breach, Lakshman said the researchers “could be referencing the number of lines of data expose, but it is certainly not a reference to the number of customers affected.”
And if it is a reference to the number of lines of data, “it’s worth noting that some customer records could have hundreds or thousands of lines of data, including substantial amounts that do not include any personal information.”
At this point, said Lakshman, “we have no evidence to date that any data exposed has been misused in any way and we are conducting a full forensic investigation to determine the full scope of impact.”
Thus far, the investigation has revealed that although data that was exposed, it was “contained to a very small number of customers.”
It also found the breach was the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline the retail customer support processes.
Customers affected by the breach include those who opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16.
“The data exposure was discovered and rectified on April 23,” said Lakshman. “The internal systems of Freedom Mobile or Shaw Communications were not compromised as part of this third party vendor security exposure.”
Freedom Mobile said it has filed a report with the Office of the Privacy Commissioner of Canada (OPC) and is continuing its investigation into the matter.
Based in Calgary, the company also operates in BC and Ontario.