RSS

Major mobile carrier left user PII in the clear

geekinchief1 pts0 comments

Welcome to your new telco job – here's sudo access to a database with full customer info stored in the clear

Jump to main content

Search

REG AD

SECURITY

Welcome to your new telco job – here's sudo access to a database with full customer info stored in the clear

It happened at a major US telco in the early 2000s

Avram Piltch

Avram<br>Piltch

US editor

Published<br>thu 18 Jun 2026 // 08:00 UTC

PWNED Welcome back to PWNED, the weekly column where we register some of the worst tech security mistakes our readers have ever seen. Our goal: to help you not do the same.<br>Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request.<br>This week's tale of code carelessness comes courtesy of a database administrator we'll Regomize as Joker. Back in the first decade of the 21st century, she went for a job interview at one of the USA's leading national cellular carriers.

REG AD

What she saw would make you want to swap your SIM.

REG AD

After a successful meeting with a hiring manager, Joker was hired on the spot.<br>Within hours the company sudo-level access to a database server, then instructed her to "take a look" at some of the databases.<br>Joker soon realized the carrier's security was no laughing matter as she found herself accessing the main production server for the company's data services division, overseeing all services for the mobile web. This story took place in a time before the iPhone, so she was looking at nasty little versions of websites comressed for viewing on their BlackBerries or flip phones.<br>After peeking around some more, Joker discovered that she had access to the master customer table. It contained nightmarish quantities of personally identifiable information: names, addresses, Social Security numbers, billing info, and even full 16-digit credit card numbers. All of this info was stored in the clear, with no encryption or obfuscation. The CVVs were missing from some credit card info, but many were present.<br>"There was a central billing system upstream on Amdocs servers, but this database also had billing details so they didn't have to reach back upstream to Amdocs if users asked to provision new services," Joker said.<br>After Joker informed management about the mess, they deleted the offending info and forced the developers to go upstream again for billing information, just like they should have been doing in the first place.<br>Joker, like any reasonable DBA, assumed access to this information would be tightly controlled - not made available to new staff with full access rights on their first day.

MORE CONTEXT

Every employee’s password was stored in a single Excel file

All the passwords were stored in Active Directory description fields

Company CEO flooded file share with smut, called for help after he deleted it

Zombie user account let hackers control the city’s water

She also assumed her new employer would tokenize key pieces of data because that technique means certain info – say credit card and Social Security numbers – would not be visible in the same table as a customer's name and address. Instead, there would be tokens linking back to the actual numbers stored in a secure token vault. This is common in payment systems.

REG AD

If Joker were less ethical or someone else had gained admin access, they could have exfiltrated large amounts of sensitive data. Permissions should start from a zero-trust assumption and provide only what someone needs to do their job.<br>Joker said that when she later moved on to work for a major online retailer, security was front and center, proving that some people did get it, even back in the George W. Bush era. ®

pii<br>data breach<br>pwned<br>security<br>telco

REG AD

AI AND ML

AI nose uses 'Smell Language Model' to sniff out signs of disease

Sampling patients' breath may save lives and emergency room resources

OFFBEAT

Microsoft once used its own brand of 'Lego' to optimize Windows

Making software feel snappier when you only have 12 MB RAM

Digital sovereignty needs an operating model

PARTNER CONTENT Europe wants control over its own technology, but what does that look like?

Oracle support timelines for Fusion Middleware tighter than expected

Big Red drops ominous mention of 'Market Driven Support' beyond 2027 - but there's good news for AIX users

PAAS AND IAAS

Graviton 5 impresses, but please, for the love of all that's holy, stop calling them 'AI chips'

AWS better at running chip fabs than their mouths

RoachFest London 2026: The database as competitive asset

SPONSORED POST: Operate without fear. Build with confidence. Adapt to the AI era

MOST POPULAR

security

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

ON-PREM

Amazon owns up to using 2.5bn gallons of H2O in its bit barns last year

Security

Angry bug hunter with Microsoft beef drops new Windows 0-day

SECURITY

Every employee’s password was stored in a single Excel...

security joker access info stored database

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.