Wireless Provider Openly Shares Private Data Of Subscribers

from the whoops-a-daisy dept

Editor’s Note, May 7, 2021 Q Link Wireless has contacted us to dispute that the privacy failure impacted Q Link customers, stressing that its Hello Mobile brand is separate from Q Link. We will note that the two companies are connected, as Q Link made clear in its press release announcing its ?new prepaid phone brand, Hello Mobile,? stating that the CEO of both companies is the same, Issa Asad. Both companies are listed in the FCC?s telecommunications companies database as having the same address and being owned by the same parent firm, Quadrant Holdings, which also has the same CEO, Issa Asad. The ?My Mobile? iOS app Ars Technica revealed to have exposed consumer data is listed as having been developed by Q Link Wireless. The maker of the corresponding Android app is a separate company, Vector Holdings. According to publicly filed FCC documents, Vector Holdings is also a subsidiary of Quadrant Holdings and run by Issa Asad. We have updated the post to reflect that the public evidence shows the data being exposed specifically for Hello Mobile users.

Another day, another notable privacy scandal we won’t do much about.

Q Link Wireless’s Hello Mobile service is the latest company to be under fire for particularly lax security and privacy standards after it was found to have exposed the private data of its wireless customers. The company’s My Mobile Account app (for iOS and Android) is supposed to let subscribers monitor their wireless accounts, while letting them track remaining data allotments and buy more data when needed. But for users, the app also displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out.

And all of this data was left openly exposed for anybody to access, provided you had the phone number of any Hello Mobile customer.

The problem was first spotted by Reddit users and subsequently confirmed by Ars Technica:

“Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That?s right?no password or anything else required.
When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate.”

It’s not clear how long this screw up has been live, but complaints began popping up on Reddit sometime last year. When Ars reached out to the company it couldn’t be bothered to respond:

“I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn?t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers.”

It’s worth noting that Q Link Wireless customers are generally lower-income users enrolled in the FCC’s Lifeline program (which doles out a modest $9.25 monthly subsidy to be used for wireless, wired broadband, or phone service) and as such are potentially the least likely to be able to afford issues related to identity theft and fraud. Also worth reminding folks: in 2015 the FCC passed some relatively basic broadband privacy rules that were subsequently demolished by the GOP at the behest of the telecom lobby before they could take effect. So, good job all around, I guess.

Filed Under: , , ,
Companies: q link wireless

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Wireless Provider Openly Shares Private Data Of Subscribers”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Hall of Shame

but like Celyxise said, the issue isn’t who’s done it. The issue is, how did they respond when the issue was discovered?

I’ve seen everything from a public RCA that determines what went wrong at what levels of process and what was done to fix each of those issues, to… crickets.

I have no problems working with companies that make mistakes and leak PII. I have PLENTY of issues with companies that do it and care more about covering it up than protecting their customers going forward. Because if I am going to be a customer, I want to know they’ve already learned from their past mistakes.

ECA (profile) says:

Still waiting for this to hit the fan.

If everyone’s data is dumped to the net, and anyone can use it.
The banks are going to have Soo much fun.
The gov is going to hate this to the max(headroom).

How to prove who is who and who used your credit card.
Star card anyone?
Tattoo? Embedded chip anyone?(I feel like my dog) Perfect Facial ID?
Let take pictures of every transaction that can be made. Oops Google/amazon/FB/.. is going to have Fun with this .

sarah says:

Class action lawsuit?

This is happening to me right now. I’ve talked to three people. I talked to the person whose number I had. I can see all her texts. I told her everything. I wonder if someone has my number.

This is huge! Major privacy violation. What if someone got a very personal, sensitive text.

I would think there are attorneys that wouldn’t charge a retainer, and only take money if they win.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...