Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak (gizmodo.com)

← Back to Stories (view on slashdot.org)

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak (gizmodo.com)

Posted by msmash on Friday September 1, 2017 @07:30AM from the security-woes dept.

About four million Time Warner Cable records containing details of its customers were found unsecured on an Amazon server last month, tech website Gizmodo reported on Friday. From a report: The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC. The 4 million TWC records are not all tied to unique customers, meaning 4 million individual people were not exposed by the breach. Due to the sheer size of the cache, it was not immediately clear precisely how subscribers were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information -- though it does not appear that any Social Security numbers or credit card information was exposed.

30 comments

Min score:

Reason:

Sort:

Your privacy is EXTREMELY important to us by FrankHaynes · 2017-09-01 07:34 · Score: 5, Funny

Your information is only shared with our Trusted Partners ®
What could possibly go wrong??

--
slashdot: A failed experiment.
1. Re:Your privacy is EXTREMELY important to us by OffTheLip · 2017-09-01 08:02 · Score: 1
  
  Do these companies do any IT security?They seem to be willing to sacrifice customer data as a matter of routine business. Their customers don't care or don't know about these partner deals.
I think credit card was exposed! by Spy+Handler · 2017-09-01 07:44 · Score: 5, Interesting

it does not appear that any Social Security numbers or credit card information was exposed

Earlier this month I switched to paperless billing for my Time Warner cable account. Two weeks ago I paid my bill online with a credit card for the first time.
Lo and behold, a fraudulent charged appeared on my statement last week! Someone bought some stuff from Neiman Marcus and had it shipped to Florida. (I live on the other side of the continent)
I was wondering where the security breach of my credit card was coming from, this makes me think it was Time Warner.
1. Re:I think credit card was exposed! by Samurai+Nigel · 2017-09-01 07:54 · Score: 0
  
  Some thoughts:
  - It could just be coincidence, but that timeline does seem kind of suspect.
  - With that much data, it's entirely possible they just haven't found the credit card information yet. It's also possible that the data that IS in there could have been used to attain credit card information.
  - The handbag I bought with your credit card was FABULOUS! ;)
2. Re:I think credit card was exposed! by Anonymous Coward · 2017-09-01 07:59 · Score: 0
  
  could have been used to attain credit card information
  could have been used to obtain credit card information
  FTFY
3. Re:I think credit card was exposed! by Samurai+Nigel · 2017-09-01 08:25 · Score: 2
  
  Attain, obtain, ascertain, procure, gain, secure...
  Synonyms are awesome. LPT. YW.
4. Re: I think credit card was exposed! by Anonymous Coward · 2017-09-01 08:57 · Score: 0
  
  From the article:
  
  The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing credentials (usernames and passwords) to external systems - information that couldâ(TM)ve been used to uncover additional sensitive subscriber records.
  It is entirely possible that the additional information could have been used to compromise personal information. If you look past Charter being weasels and trying to downplay the breach, you'll see that they really don't know if additional systems and data were compromised as a result of this breach. And I haven't seen any information as to what additional systems could have been compromised from the data in this breach, so there really isn't any way to know right now.
5. Re:I think credit card was exposed! by Anonymous Coward · 2017-09-01 21:44 · Score: 0
  
  There are no true synonyms.
  Every word implies something slightly different.
  One of the reasons you should learn a different language is because the increased vocabulary makes it possible for you to think thoughts you couldn't think before.
6. Re:I think credit card was exposed! by Samurai+Nigel · 2017-09-08 01:30 · Score: 0
  
  noun. 1. a word having the same or nearly the same meaning as another in the language
This is getting really frustrating by sarbonn · 2017-09-01 07:54 · Score: 5, Insightful

The part that really bothers me is that no matter how much work I do, how much security I try to add to my own systems, I'm still subject to the stupidity of companies that I do business with, and usually they're companies that I don't really have a choice about whether or not to do business with them (unless I wish to be a Luddite, living in a cave). This has happened with banks, cable companies, Internet providers, the freaking government, practically every computer gaming company and/or computer-related entity. And usually we find out through some cryptic message of "you need to change your password cause something may or may not have happened". It's really frustrating.

--
Sarbonn's blog: http://www.sarbonn.com/blog
1. Re:This is getting really frustrating by Anonymous Coward · 2017-09-01 08:03 · Score: 0
  
  It's frustrating as someone who works with sensitive data too. We've not had any breaches (that we know of), but it's a huge headache wading through and constantly patching system and checking everything. For most people, you're just trying to do your job without screwing up. For people working with this stuff you're trying to protect it from other people (hackers) who are basically ACTIVELY trying to sabotage your work.
  To a large degree as well it feels redundant. There's been so many data breaches announced that I'd wager nearly everyone in the country has had a SSN or credit card # leaked at one point or another.
  I don't know what the solution is, but eventually we're going to have to figure out something other than little numbers that we're supposed to keep super-secret. Long term, it's just not working.
2. Re:This is getting really frustrating by FrankHaynes · 2017-09-01 08:06 · Score: 2
  
  (unless I wish to be a Luddite, living in a cave)
  So, just like most AC commenters here at /.
  
  --
  slashdot: A failed experiment.
3. Re:This is getting really frustrating by Anonymous Coward · 2017-09-01 08:07 · Score: 0
  
  sarbonn,
  "...unless I wish to be a Luddite, living in a cave..."
  The original Luddites did not live in caves. They lived in their own houses on their own land and operated their own business using their own machines.
  The Luddites were pissed off that capital, big business and mechanization was about to take all that way from them.
  Looking at the way capital and big business treats us all today you might start to think that Ned Ludd had a point. The process of stripping all our wealth is not over yet.
4. Re:This is getting really frustrating by Anonymous Coward · 2017-09-01 08:50 · Score: 0
  
  So, just like most AC commenters here at /.
  what data did you use to arrive at your conclusion?
  tell us more about your respect for the scientific method
5. Re:This is getting really frustrating by Anonymous Coward · 2017-09-01 09:02 · Score: 0
  
  no matter how much work I do
  so you were expecting to be omnipotent and you are disappointed by reality
6. Re:This is getting really frustrating by snookiex · 2017-09-01 09:02 · Score: 2
  
  Not only companies. Family and friends usually leak a lot of information about you. Either tagging you on FB, uploading private photos to "the cloud" or installing stupid apps on their phones that steal their contacts and IM messages. There's no escape.
  
  --
  Open Source Network Inventory for the masses! Kuwaiba
7. Re:This is getting really frustrating by Anonymous Coward · 2017-09-01 09:41 · Score: 0
  
  usually leak a lot of information about you.
  
  you mean like opinionated slashdot posts with your id
  
  There's no escape.
  no shit, you're deliberately doing it to yourself
At the rate companies I use are being compromised by bobstreo · 2017-09-01 07:59 · Score: 2

My (unborn, unplanned, unexpected for a few more years) grandchildren will be getting free credit monitoring.
Amazon buckets have holes. by Anonymous Coward · 2017-09-01 08:10 · Score: 0

I've been seeing this a lot. Doesn't Amazon have ANY kind of security on their systems?
1. Re:Amazon buckets have holes. by Anonymous Coward · 2017-09-01 10:43 · Score: 0
  
  I've been seeing this a lot. Doesn't Amazon have ANY kind of security on their systems?
  so amazon should be controlling the access to content? really?
2. Re:Amazon buckets have holes. by Anonymous Coward · 2017-09-02 17:08 · Score: 0
  
  They have as much as any other provider but it's up to the customer to enable or install these features. It isn't Amazon's fault when you decide to have a big NoSQL orgy and install mongodb without a password on it.
Re: Too bad they didn't have Trump's taxes by NicknameUnavailable · 2017-09-01 08:46 · Score: 0

Pretty sure he's not interested in Hillary's snatch.
Re: Too bad they didn't have Trump's taxes by Anonymous Coward · 2017-09-01 08:54 · Score: 0

He couldn't afford it anyway, and besides, Ivanka.
Charter needs to be severely penalized by Anonymous Coward · 2017-09-01 08:54 · Score: 0

Time Warner Cable is now Charter. They need to be severely penalized. This is negligence and their response is asinine.
My personal information is almost certainly among the four million subscribers in the breach. I have used the My TWC app, and yes, I've paid my bill through it. The unsecured data was discovered on August 24. As of right now, Charter has made precisely zero effort to notify me.
Although the focus is on the four million customer records, it's not entirely clear what else has been compromised. The Gizmodo article about this includes the following text:

The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing credentials (usernames and passwords) to external systems - information that could've been used to uncover additional sensitive subscriber records.
In other words, the true scope of the breach may not be known. If a third party security researcher was able to uncover this information, can they truly be confident that others didn't access the information and use it for malicious purposes?

A spokesperson for BroadSoft said the company had verified that customer data was exposed to the public internet, but that it does not believe the information to be "highly sensitive." The company also does not believe it was accessed by anyone with malicious intent.
These claims also limit their requirements to notify customers under state data breach laws.

"We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed."
In other words, their previous statement was bullshit. They don't know what was accessed. They're being weasels to limit their requirements under law.
Finally, from Charter's own statement, quoted by Gizmodo:

We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.
As I stated, my personal information was almost certainly involved in the breach. They haven't notified me, and there's no reason they couldn't have sent even a mass email by now. It's been several days.
Finally, this is incredibly negligent. There is absolutely no excuse for storing sensitive information on a server that can be accessed by the public with no credentials whatsoever. The negligence was apparently due to outsourcing some aspect of their business to Broadsoft, a company in India, whose CCTV recordings were also stored on the server. Even if nobody has their personal information abused from this data breach, Charter needs to be severely for their negligence. They are still responsible, despite having outsourced to a firm in India. I also don't much like their lack of notification and their misleading statements downplaying the breach while they don't really know what was compromised.
1. Re: Charter needs to be severely penalized by NYC_1066 · 2017-09-01 11:33 · Score: 1
  
  If any of the 'financial transactions' include records of video rental or purchase, isn't tbe company liable for violations of the Video Privacy Protection Act (VPPA) -- one of the few nominally-strong privacy laws?