Millions of Time Warner Cable customer’s information exposed after data leak
Security outfit Kromtech says files that vendor Broadsoft kept online were vulnerable
By Giovanni Bruno
Customer data for units of Charter Communications Inc. and other companies was left unprotected online in data stockpiles that Broadsoft Inc. kept online, security company Kromtech Alliance Corp. wrote on a company blog.
A researcher for Kromtech discovered records for more than four million customers of Charter division Time Warner Cable and other companies’ data that the research firm says Broadsoft stored on Amazon.com Inc.’s cloud service. “The two repositories contained thousands and thousands [of] records and reports for a number of Broadsoft clients, with Time Warner Cable appearing to be the most prominent,” Kromtech’s Bob Diachenko blogged.
The data “was configured to allow public access and exposed extremely sensitive data” such as usernames, email addresses, credentials and in some cases billing addresses and phone numbers. The records went far as back as November 2010, predating Charter’s 2016 acquisition of Time Warner Cable for US$78.7 billion, including assumed debt.
“This would allow anyone with an internet connection to access extremely sensitive documents,” Diachenko blogged. “Not only could they access the documents but any ‘Authenticated Users’ could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.” The data was secured after Kromtech reached out to BroadSoft and Charter.
Broadsoft provides cloud voice, messaging, conferencing, document sharing and other services such as outsourced call centres. The company works with 600 communications service providers across 80 countries, according to its web site.
Charter acknowledged the event but said that it has “no indication that any Charter systems were impacted” in an emailed statement.
“A vendor has notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources,” a spokesman said in a written statement. “Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them.” The company encouraged users of its MyTWC app to change their log-in information. “We apologie for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident,” the company stated.
Representatives of BroadSoft did not immediately respond to a query.