Tens of thousands of Assist Wireless Lifeline free government cell phone customers have had their personal customer documents exposed online.
Those low-income Americans are enrolled with Assist Wireless in Arkansas, Maryland, Minnesota, Missouri and Oklahoma.
This could result in identity theft for those customers. The stolen documents include drivers licenses, Social Security numbers and United States passports. In other words, exactly the kind of documents customers typically use to prove their identities.
Who has reason to worry? Which customers may be exposed? Primarily those who enrolled in the Lifeline program during calendar years 2019 and 2020.
You may feel relieved that Assist discovered and corrected the problem on its own, but that is not the case. A prominent security researcher actually stumbled across the exposed documents while performing a simple Google search. The researcher in turn passed the news on to TechCrunch and asked them reveal the leak to the character. The exposed documents, according to Assist, were quickly deleted from its website.
Here’s more from TechCrunch.com about how the leak was discovered:
Assist told TechCrunch that it traced the issue to a third-party plug-in, Imagify, which the carrier uses to optimize images on its website. Assist said that the plug-in by default puts a backup of uploaded images in a separate folder, but that the backup location in Assist’s case was not secure.
“We have resolved the issue by turning the backup off and removed the folder from public view,” said Assist.
The carrier told TechCrunch it also submitted an “urgent request” to Google to remove the documents from its cached image search results. (TechCrunch held this story until the images were scrubbed.)
Assist said it is investigating if anyone else found the exposed data before the issue was fixed.
We would not imagine that these are good times to be working in Assist’s public relations department. Here is part of the un-reassuring statement issued in an attempt to put a lid on this story:
“Assist Wireless takes security and consumer data very seriously. We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward.”
This is one of those cases where the incident was truly the case of an accident. Of course, accident or not, those whose identities were stolen cannot be happy with Assist. But to the company’s credit, it seems to be doing everything possible to rectify its own errors.