Adapt IT unit Conor hit by massive data breach
Conor, a subsidiary of JSE-listed IT company Adapt IT, suffered a data breach that exposed users’ data.
The breach was discovered by cyber security firm vpnMentor led by analysts Noam Rotem and Ran Locar.
According to vpnMentor, the breached database contained daily logs of user activity by customers of ISPs using Web filtering software built by Conor.
It exposed all Internet activity of these users including their search history, along with their PII data.
This included highly sensitive and private activity, including pornography. vpnMentor says not only did Conor expose users to embarrassment by revealing such browsing activity, but they also compromised the privacy and security of people in many countries. They were also able to pull users social media logins.
Based in SA, Conor is an information and communications technology company that develops software products for clients in Africa and South America. The company creates a range of solutions for businesses in numerous industries, including finance, mobile Internet, SMEs, and data monetisation.
High profile clients
Conor has 80 million mobile subscribers to their products, with some high profile clients, including Vodafone and Telkom, says vpnMentor.
“Our team’s Web scanner picked up the database on the 12th of November. It was clear the database contained a huge amount of data from many different sources in various countries,” the cyber security firm says.
“At times, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. However, more often it takes days of investigation before we understand what’s at stake or who’s leaking the data. In some instances, affected parties deny the facts, disregarding our research or playing down its impact. So we need to be thorough and make sure everything we find is correct and true.
“The database was later reviewed and better understood, along with its connection to a Web filter app built by Conor. We then reached out to the company to offer our assistance.”
Based on our team’s discovery of this database, Conor’s “commercially acceptable means” weren’t enough to keep this private user data hidden, says vpnMentor, adding that its team was able to access this database because it was completely unsecured and unencrypted.
“We were able to view constantly updating user activity logs for the last two months from customers of numerous ISPs based in African and South American countries. In total, this resulted in 890+ GB of data and over one million records.”
It explains that the database belonged to a proprietary software developed by Conor, rather than the ISPs themselves.
The software is a Web filter developed for ISP clients to restrict access to certain Web sites and types of online content.
“We found entries from users viewing porn for example, as well as their social media accounts and logins. As well as the Web sites visited, our team was able to view a range of private personal user data every time someone logged onto the system, including:
- The index names: allowing easy identification of daily activity
- MSISDN: a code that identifies a mobile phone user within their provider's network, via their phone number
- IP address
- Duration of connection or visit to a website
- The volume of data (in bytes) transferred per session
- Full website URL
- If a website had been blocked by the filter or not
As the database gave access to a complete record of each user’s activity in a session, the vpnMentor team was able to view every Web site they visited or attempted to visit.
“We could also identify each user. A person’s Internet browsing is always personal and expected to be private; however, that was not the case with this data breach.”
It says a data breach of this size and nature – exposing so much data on user activity and identities – has serious implications for all involved.
“For an ICT and software development company not to protect this data is incredibly negligent. Conor’s lapse in data security could create serious problems for the people exposed. While Conor wouldn't be vulnerable to attack or fraud, they could suffer significant reputational damage and a loss of trust within their industry.”
Web Usage Logging portal
In response, Sbu Shabalala, CEO of Adapt IT, told ITWeb that on 10 December 2019, Adapt IT was made aware that the Conor Solutions Web Usage Logging portal had potentially been accessed by a third-party.
Conor Solutions, a division of Adapt IT, provides Internet management services to a number of customers, he notes, adding that services include connectivity and analysis of Web usage logs for customers, independently of mobile network operators, and delivered as a hosted service.
According to Shabalala, on 25 November 2019, Conor Solutions terminated open access to the hosted Web portal as the service had been discontinued.
This portal is completely separate from any databases or applications where personal data may be processed through any of our other applications.
“On 10 December, Adapt IT was approached by local news agencies who had been alerted by vpnMentor of the portal’s existence. vpnMentor allegedly accessed the portal and extracted data in a report format, which may have exposed the (i) mobile numbers; (ii) names; and (iii) partial Internet usage activity (including IP addresses or domains visited), excluding encrypted usage, of customers using this service for a limited duration.”
He says the portal did not contain any account numbers, children’s personal data, special personal data or other similarly sensitive data such as financial information or passwords as defined by relevant data protection laws.
“Adapt IT has contacted the affected customers directly and no further action is required from our customers. As the portal had been terminated before Adapt IT became aware of the possible access, no further preventative measures are required.
“The business holds itself to best practices with regards to the protection of personal information. Even though it is not yet a legal requirement, Adapt IT’s systems are in line with the Protection of Personal Information Act. We always conduct ourselves in a responsible manner when collecting, processing, and storing any entity’s information. Protecting our clients’ confidential information is a key priority for us.”