A Brazilian Wi-Fi management software firm exposed data of various high profile companies and millions of their customers.
The data was leaked by WSpot, which provides software that enables businesses to secure their on-premise Wi-Fi networks and allow password-free online access to their customers.
The leak was discovered by security research firm SafetyDetectives. The researchers found WSpot’s misconfigured Amazon Web Services (AWS) S3 bucket, which was left open and exposed 10GB worth of data to the public. After discovering the sensitive data on September 2, the researchers contacted the software firm on September 7. WSpot secured the breach the following day.
Some 226,000 files were exposed in the leak, the researchers noted, including personal information from approximately 2.5 million individuals who connected to the public Wi-Fi networks provided by WSpot clients. The company’s client portfolio includes Pizza Hut, financial services provider Sicredi, and healthcare firm Unimed.
According to SafetyDetectives, the set of information exposed included details supplied by individuals in order to access the Wi-Fi service provided by the companies. This includes full name, email address, full address, and taxpayer registration numbers — in addition to the login credentials created in the registration process.
WSpot confirmed the leak to ZDNet, saying the issue was caused by a “lack of standardization in the management of information [stored] in a specific folder.” The Brazilian company reiterated that it has been working to address the issue since it was contacted about it until the conclusion of technical procedures on November 18.
WSpot states that its servers remain intact and were not invaded by malicious actors, saying there’s no evidence that the exposed data has been accessed by cybercriminals. However, the software firm also stated that it has hired a security company to fully investigate any repercussions in relation to the data leaked in the incident.
WSpot says the issue impacted 5% of its total customer base, and none of its clients had business and/or sensitive information compromised. Additionally, it reiterated that it does not capture financial information such as credit card details or access credentials to other services.
It’s unclear whether the company will inform the individuals exposed about the incident.
According to a WSpot spokesperson, the National Data Protection Authority has not yet been contacted about the incident, however, “all legal issues surrounding the case are being addressed by WSpot as thoroughly as possible, especially in order to ascertain the next steps.”