vpnMentor has unearthed a massive South African data breach which exposed the private browsing data and personal identifying information of more than 1 million mobile users.
The breach was discovered by cybersecurity analysts Noam Rotem and Ran Locar in a database belonging to South African ICT company Conor Solutions.
Conor develops various software products for prominent clients in South Africa and was acquired at the end of 2018 by Adapt IT.
The company serves 80 million mobile subscribers per day and lists both Vodacom and Telkom as its clients.
The breached database contained daily logs of user activity by customers of mobile ISPs using web filtering software built by Conor. It exposed all Internet activity of these users – including their search history – along with their personally identifiable information.
“This included highly sensitive and private activity, including pornography,” vpnMentor said.
“Not only did Conor expose users to embarrassment by revealing such browsing activity, but they also compromised the privacy and security of people in many countries. They were also able to pull users social media logins.”
Exposed browsing data and cellphone numbers
vpnMentor first discovered the database on 12 November 2019 and immediately realised it contained a large amount of data – over 890GB – with more than 1 million records.
The researchers reviewed the data and its connection to a web filter app built by Conor, and reached out to the company to offer their assistance.
The team said they were able to access this database because it was completely unsecured and unencrypted, and they were then able to view constantly-updating user activity logs for the last two months.
These logs monitored data from customers of numerous mobile ISPs based in African and South American countries, including South Africa.
Whenever the vpnMentor team logged into the database, they were able to find entries from users viewing pornography, as well as to determine their social media accounts and logins.
The following personal data for over 1 million Internet users was exposed in the breach:
- Index name (Allowing easy identification of daily activity)
- MSISDN (Cellphone number)
- IP address
- Duration of connection or visit to a website
- Volume of data transferred per session
- Full URL of visited websites
In addition to the above, the database also noted whether a user’s connection had been blocked by the web filter app or not.
“A person’s Internet browsing is always personal and expected to be private, however, that was not the case with this data breach,” vpnMentor said.
“As the database gave access to a complete record of each user’s activity in a session, our team was able to view every website they visited or attempted to visit. We could also identify each user.”
Researchers noted that this is a major data breach which would have far-reaching effects for all involved, as it is unclear how long this information was unsecured and exposed to hackers and malicious parties.
vpnMentor disclosed the breach to Conor, which subsequently closed the vulnerability but did not provide a statement to the security company.
“For an ICT and software development company not to protect this data is incredibly negligent,” vpnMentor said. “Conor’s lapse in data security could create serious problems for the people exposed.”
Additionally, the breached database exposed how Conor’s web filter app worked and its rules for blocking content.
vpnMentor said that the greatest risk in this breach is to the people whose data was exposed. The database contained live traffic logs of all their online activities, along with personally identifiable information.
“There was zero privacy for those affected, making them vulnerable to a wide range of online attacks and fraud that could have devastating effects, both personally and financially,” Conor stated.
The only way to ensure that your information is not compromised in this way again is to use a VPN, the company said, as this hides your activity from your ISP and prevents it from being logged in this manner.
Mobile networks respond
MyBroadband asked Vodacom, MTN, Cell C, and Telkom whether they used any services provided by Conor Solutions and whether they were aware of any data breach which had been disclosed to the company.
Vodacom confirmed that Conor Solutions (Adapt IT) is one of its suppliers.
“We were made aware this week of the vulnerability, which was disclosed to Conor Solutions, and which we understand has since been closed,” Vodacom told MyBroadband.
“Vodacom does not use the Conor Solutions service where the vulnerability was identified, but continues to monitor the situation.”
Telkom told MyBroadband that it is a customer of Adapt IT and Conor Solutions.
“Telkom can confirm that it is a customer of AdaptIT which provides support for software products developed by Conor Solutions,” the mobile network told MyBroadband.
“These products are deployed and operated entirely within Telkom’s own networks in support of Telkom products and services.”
Telkom said that it does not make use of Conor Solutions’ web filtering service.
“Telkom has been informed of the Conor Solutions data breach and has been assured by AdapIT that this breach is within a completely separate service area to those sold to Telkom,” the company said. “Telkom understands that this incident is not related in any way to any commercial or technical service provided to Telkom.”
Telkom said it is still awaiting formal confirmation from AdaptIT as to the extent of any Telkom customer data that may have been exposed, and said it would work with AdaptIT as necessary to protect the interests of Telkom’s customers.
MTN and Cell C do not use services supplied by Conor Solutions.
AdaptIT, the company which acquired Conor Solutions last year, said that it was made aware of the data breach on 10 December, when we first contacted it for comment.
“On 10 December 2019, Adapt IT Holdings Limited (“Adapt IT”) was made aware that the Conor Solutions Web Usage Logging portal had potentially been accessed by a third party,” Adapt IT CEO Sbu Shabalala told MyBroadband.
Shabalala said that Conor Solutions closed the vulnerability as soon as it was made aware of the exposed data, adding that the service had been discontinued.
“On 25th November 2019, Conor Solutions terminated open access to the hosted web portal as the service had been discontinued,” he said.
“This portal is completely separate from any databases or applications where personal data may be processed through any of our other applications.”
Shabalala acknowledged vpnMentor’s discovery of the exposed web portal and its claims that it had extracted the information outlined above.
He added that this database did not contain login credentials, account numbers, or other similarly sensitive data.
“The portal did not contain any account numbers, children’s personal data, special personal data or other similarly sensitive data such as financial information or passwords as defined by relevant data protection laws,” Shabalala said.
“Adapt IT has contacted the affected customers directly and no further action is required from our customers. As the portal had been terminated before Adapt IT became aware of the possible access, no further preventative measures are required.”
“The business holds itself to best practices with regards to the protection of personal information., ” he said. “We always conduct ourselves in a responsible manner when collecting, processing, and storing any entity’s information.”
Read the full data breach report from vpnMentor here.