A configuration error by one of Time Warner Cable’s vendors left a database containing more than 4 million records with info about the cable operator’s customers publicly available on the internet, according to a security software firm.
BroadSoft, a communication software and service provider used by Time Warner Cable, left more than 600 gigabytes of private files publicly accessible online in two separate Amazon Web Services repositories, Kromtech Alliance’s security research team said Friday in a blog post. The BroadSoft data was improperly configured to allow public access in AWS, according to Kromtech.
Most of exposed data appeared related to Time Warner Cable, Bright House Networks and AMC Networks, according to Kromtech. One of the files contained more than 4 million records including usernames, account numbers, transaction IDs and other info spanning Nov. 26, 2010, to July 7, 2017. Other databases Kromtech was able to access in BroadSoft’s AWS repositories had billing addresses, phone numbers and other information for hundreds of thousands of Time Warner Cable customers.
Time Warner Cable and Bright House were both acquired last year by Charter Communications, which is the second-biggest U.S. cable company after Comcast.
In a statement, Charter said the exposed customer info was removed as soon as it was discovered, and said “there is no indication that any Charter systems were impacted.”
“A vendor has notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources,” Charter said in a statement. “Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them.”
BroadSoft emphasized in a statement that the exposed customer data did not include financial info like bank or credit card information or Social Security numbers. “As soon as we recognized the exposure, we immediately began to re-secure the information,” the company said, adding that BroadSoft’s core information-technology and cloud unified communication infrastructures “were not exposed or compromised in this incident.”
Charter said it recommends that customers who have used the MyTWC app change their usernames and passwords. The cable company said it will directly contact customers if it discovers that their information was exposed.
Kromtech said it downloaded the contents of the publicly accessible BroadSoft data “for verification purposes,” noting that it’s unclear if the data was accessed by other unauthorized parties. The company discovered the misconfigured BroadSoft file repositories in AWS in the process of researching an Amazon S3 cloud-based data repository for WWE — containing 3 million customer emails — that was also publicly accessible on the internet.