US cell carrier Assist Wireless exposed thousands of customer IDs

U.S. cell carrier Assist Wireless left tens of thousands of personal customer documents on its website by mistake.

Assist provides free government-subsidized cell phones to low-income households across Oklahoma through the Lifeline program, set up by the Federal Communications Commission in 1985. Lifeline helps households on federal assistance programs, like food stamps or public housing, get access to cheap cell phone plans.

But part of the carrier’s website was leaking customer documents — including driver licenses, passports and Social Security cards — which customers submit to verify their eligibility to sign up for a free phone and a plan.

The documents are dated between 2019 and 2020.

Security researcher John Wethington found the exposed documents through a simple Google search result, and asked TechCrunch to alert the carrier to the leak. Assist removed the exposed documents from its website a short time later.

Assist told TechCrunch that it traced the issue to a third-party plug-in, Imagify, which the carrier uses to optimize images on its website. Assist said that the plug-in by default puts a backup of uploaded images in a separate folder, but that the backup location in Assist’s case was not secure.

“We have resolved the issue by turning the backup off and removed the folder from public view,” said Assist.

The carrier told TechCrunch it also submitted an “urgent request” to Google to remove the documents from its cached image search results. (TechCrunch held this story until the images were scrubbed.)

Assist said it is investigating if anyone else found the exposed data before the issue was fixed.

“Assist Wireless takes security and consumer data very seriously. We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward,” the carrier said.

The carrier also said it would notify customers if their data was exposed in the security lapse.