Oh, boy. Someone screwed up big time at Assist Wireless and exposed not just thousands, but tens of thousands of its Lifeline customers’ personal customer documents on its website.
Assist offers free government cell phones to low-income Americans in Arkansas, Maryland, Minnesota, Missouri and Oklahoma.
What kind of documents did it accidentally expose to potential identity thieves? Drivers licenses, passports and Social Security cards — all the documents customers routinely use to verify their eligibility to enroll in the Lifeline program.
And when did they expose them? You might have reason to worry if you enrolled during calendar years 2019 and 2020.
Security researcher John Wethington found the exposed documents through a simple Google search result, and asked TechCrunch to alert the carrier to the leak. Assist removed the exposed documents from its website a short time later.
TechCrunch.com explains how the problem was discovered:
Assist told TechCrunch that it traced the issue to a third-party plug-in, Imagify, which the carrier uses to optimize images on its website. Assist said that the plug-in by default puts a backup of uploaded images in a separate folder, but that the backup location in Assist’s case was not secure.
“We have resolved the issue by turning the backup off and removed the folder from public view,” said Assist.
The carrier told TechCrunch it also submitted an “urgent request” to Google to remove the documents from its cached image search results. (TechCrunch held this story until the images were scrubbed.)
Assist said it is investigating if anyone else found the exposed data before the issue was fixed.
Assist’s PR people are dancing as fast as they can to put lipstick on this pig:
“Assist Wireless takes security and consumer data very seriously. We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward.”
The company appears to be taking this seriously, but as we said in our headline, WTF? This isn’t a case of Russian hackers breaking into Assist’s website. It was an internal screw up of epic proportions.
The only good news out of this fiasco: Assist promises to notify customers whose data was accidentally revealed.