MetroPCS, Nutmeg Customer Data Exposed by Mistake
Both breaches appear to have been the result of coding errors.
According to Motherboard, a security flaw in the MetroPCS payment page left more than 10 million subscribers' personal information exposed, including their home addresses, plan types, and phone models and serial numbers.
The bug was discovered a month ago by security researchers Eric Taylor and Blake Welsh. A T-Mobile spokesperson (MetroPCS is a T-Mobile subsidiary) told Motherboard the flaw has been fixed and the data is no longer accessible.
Taylor told Motherboard the data could easily have been accessed with an automated script that would have harvested many (if not all) MetroPCS customers' data. As Motherboard notes, hacker Andrew Auernheimer found a similar flaw in AT&T's website in 2010, which provided him with 114,000 iPad users' email addresses.
In a similar but smaller-scale breach, online investment company Nutmeg recently acknowledged that 32 customers' personal information (names, addresses, investment details and assets) was emailed to other people by mistake.
The Financial Times reports that Nutmeg said the breach was caused by a coding error. The company has contacted everyone involved, and has reported the breach to the U.K. Information Commissioner's Office.
"Due to a technical error on September 1, a small number of customer suitability reports were sent to the wrong people," Nutmeg founder and chief executive Nick Hungerford said. "This was identified and rectified immediately, and all customers affected were contacted directly to inform them of the issue and apologize."
"At Nutmeg we put our customers first, and take the security of customer data very seriously; we have conducted a thorough investigation and can assure our customers this will not happen again," Hungerford added.
Photo courtesy of Shutterstock.