Wireless Provider Openly Shares Private Data Of Subscribers

from the whoops a daisy dept

Editor’s Note, May 7, 2021 Q Link Wireless has contacted us to dispute that the privacy failure impacted Q Link customers, stressing that its Hello Mobile brand is separate from Q Link. We will note that the two companies are connected, as Q Link made clear in its press release announcing its ?new prepaid phone brand, Hello Mobile,? stating that the CEO of both companies is the same, Issa Asad. Both companies are listed in the FCC?s telecommunications companies database as having the same address and being owned by the same parent firm, Quadrant Holdings, which also has the same CEO, Issa Asad. The ?My Mobile? iOS app Ars Technica revealed to have exposed consumer data is listed as having been developed by Q Link Wireless. The maker of the corresponding Android app is a separate company, Vector Holdings. According to publicly filed FCC documents, Vector Holdings is also a subsidiary of Quadrant Holdings and run by Issa Asad. We have updated the post to reflect that the public evidence shows the data being exposed specifically for Hello Mobile users.

Another day, another notable privacy scandal we won’t do much about.

Q Link Wireless’s Hello Mobile service is the latest company to be under fire for particularly lax security and privacy standards after it was found to have exposed the private data of its wireless customers. The company’s My Mobile Account app (for iOS and Android) is supposed to let subscribers monitor their wireless accounts, while letting them track remaining data allotments and buy more data when needed. But for users, the app also displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out.

And all of this data was left openly exposed for anybody to access, provided you had the phone number of any Hello Mobile customer.

The problem was first spotted by Reddit users and subsequently confirmed by Ars Technica:

“Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That?s right?no password or anything else required.

When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate.”

It’s not clear how long this screw up has been live, but complaints began popping up on Reddit sometime last year. When Ars reached out to the company it couldn’t be bothered to respond:

“I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn?t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers.”

It’s worth noting that Q Link Wireless customers are generally lower-income users enrolled in the FCC’s Lifeline program (which doles out a modest $9.25 monthly subsidy to be used for wireless, wired broadband, or phone service) and as such are potentially the least likely to be able to afford issues related to identity theft and fraud. Also worth reminding folks: in 2015 the FCC passed some relatively basic broadband privacy rules that were subsequently demolished by the GOP at the behest of the telecom lobby before they could take effect. So, good job all around, I guess.

Filed Under: , , ,
Companies: q link wireless

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Wireless Provider Openly Shares Private Data Of Subscribers”

Subscribe: RSS Leave a comment
7 Comments
Celyxisesays:

Hall of Shame

It seems like we hear about this kind of thing every week. I wonder if someone has put together a list of companies, their failure(s), and what/if they have done anything to address it since. It’d be nice to do a quick privacy/security background check on a company before entering into a contract with them.

That Anonymous Cowardsays:

Re: Hall of Shame

The problem is they have all done it.
This is made that much worse because the victims aren’t photogenic enough to inspire outrage.

We can’t even get laws demanding basic security standards with penalties for failing to follow them despite the huge failures over & over & over.

Anonymoussays:

Re: Re: Hall of Shame

but like Celyxise said, the issue isn’t who’s done it. The issue is, how did they respond when the issue was discovered?

I’ve seen everything from a public RCA that determines what went wrong at what levels of process and what was done to fix each of those issues, to… crickets.

I have no problems working with companies that make mistakes and leak PII. I have PLENTY of issues with companies that do it and care more about covering it up than protecting their customers going forward. Because if I am going to be a customer, I want to know they’ve already learned from their past mistakes.

ECAsays:

Still waiting for this to hit the fan.

If everyone’s data is dumped to the net, and anyone can use it.
The banks are going to have Soo much fun.
The gov is going to hate this to the max(headroom).

How to prove who is who and who used your credit card.
Star card anyone?
Tattoo? Embedded chip anyone?(I feel like my dog) Perfect Facial ID?
Let take pictures of every transaction that can be made. Oops Google/amazon/FB/.. is going to have Fun with this .

sarahsays:

Class action lawsuit?

This is happening to me right now. I’ve talked to three people. I talked to the person whose number I had. I can see all her texts. I told her everything. I wonder if someone has my number.

This is huge! Major privacy violation. What if someone got a very personal, sensitive text.

I would think there are attorneys that wouldn’t charge a retainer, and only take money if they win.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it