MetroPCS, Nutmeg Customer Data Exposed by Mistake

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Mobile phone carrier MetroPCS and investment management company Nutmeg both recently suffered data breaches due to apparent errors in programming.

According to Motherboard, a security flaw in the MetroPCS payment page left more than 10 million subscribers' personal information exposed, including their home addresses, plan types, and phone models and serial numbers.

The bug was discovered a month ago by security researchers Eric Taylor and Blake Welsh. A T-Mobile spokesperson (MetroPCS is a T-Mobile subsidiary) told Motherboard the flaw has been fixed and the data is no longer accessible.

Taylor told Motherboard the data could easily have been accessed with an automated script that would have harvested many (if not all) MetroPCS customers' data. As Motherboard notes, hacker Andrew Auernheimer found a similar flaw in AT&T's website in 2010, which provided him with 114,000 iPad users' email addresses.

In a similar but smaller-scale breach, online investment company Nutmeg recently acknowledged that 32 customers' personal information (names, addresses, investment details and assets) was emailed to other people by mistake.

The Financial Times reports that Nutmeg said the breach was caused by a coding error. The company has contacted everyone involved, and has reported the breach to the U.K. Information Commissioner's Office.

"Due to a technical error on September 1, a small number of customer suitability reports were sent to the wrong people," Nutmeg founder and chief executive Nick Hungerford said. "This was identified and rectified immediately, and all customers affected were contacted directly to inform them of the issue and apologize."

"At Nutmeg we put our customers first, and take the security of customer data very seriously; we have conducted a thorough investigation and can assure our customers this will not happen again," Hungerford added.

Recent eSecurity Planet articles have offered advice on how to improve database security, and the importance of offering security training to employees.