Led by cybersecurity analysts Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in a database belonging to South Africa ICT company, Conor.
The breached database contained daily logs of user activity by customers of ISPs using web filtering software built by Conor. It exposed all internet activity of these users including their search history, along with their PII data.
This included highly sensitive and private activity, including pornography. Not only did Conor expose users to embarrassment by revealing such browsing activity, but they also compromised the privacy and security of people in many countries. They were also able to pull users social media logins.
Conor Company Profile
Based in South Africa, Conor is an information and communications technology (ICT) company that develops software products for clients in Africa and South America. They create a range of solutions for businesses in numerous industries, including finance, mobile internet, SMEs, and data monetization.
Conor has 80 million mobile subscribers to their products, with some high profile clients, including Vodafone and Telkom.
Timeline of Discovery and Owner Reaction
Our team’s web scanner picked up the database on the 12th of November. It was clear the database contained a huge amount of data from many different sources in various countries.
At times the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. However, more often it takes days of investigation before we understand what’s at stake or who’s leaking the data. In some instances, affected parties deny the facts, disregarding our research or playing down its impact. So we need to be thorough and make sure everything we find is correct and true.
The database was later reviewed and better understood, along with its connection to a web filter app built by Conor. We then reached out to the company to offer our assistance.
Example of Entries in the Database
“We value your trust in providing us with your Personal Information, thus we are striving to use commercially acceptable means of protecting it. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and we cannot guarantee its absolute security.”
Based on our team’s discovery of this database, Conor’s “commercially acceptable means” weren’t enough to keep this private user data hidden. Our team was able to access this database because it was completely unsecured and unencrypted.
We were able to view constantly updating user activity logs for the last 2 months from customers of numerous ISPs based in African and South American countries. In total, this resulted in 890+ GB of data and over 1 million records.
The database belonged to a proprietary software developed by Conor, rather than the ISPs themselves. The software is a Web filter developed for ISP clients to restrict access to certain websites and types of online content. We found entries from users viewing porn for example, as well as their social media accounts and logins. As well as the websites visited, our team was able to view a range of private personal user data every time someone logged onto the system, including:
- The index names: allowing easy identification of daily activity
- MSISDN: a code that identifies a mobile phone user within their provider's network, via their phone number
- IP address
- Duration of connection or visit to a website
- The volume of data (in bytes) transferred per session
- Full website URL
- If a website had been blocked by the filter or not
As the database gave access to a complete record of each user’s activity in a session, our team was able to view every website they visited or attempted to visit. We could also identify each user. A person’s internet browsing is always personal and expected to be private, however, that was not the case with this data breach.
Data Breach Impact
A data breach of this size and nature – exposing so much data on user activity and identities – has serious implications for all involved.
For an ICT and software development company not to protect this data is incredibly negligent. Conor’s lapse in data security could create serious problems for the people exposed. While Conor wouldn't be vulnerable to attack or fraud, they could suffer significant reputational damage and a loss of trust within their industry.
The breached database also exposed how Conor’s web filter worked and its rules for blocking content. People could use this knowledge to bypass the filter, making it ineffective and redundant. Both outcomes could lead to loss of business for Conor and reduced income, from losing clients who no longer trust their software or value proposition.
Although Conor developed the web filtering software linked to this database, it's their ISP clients who would experience most of the negative reaction. Customers of ISPs compromised in this leak would most likely target the ISPs for criticism and compensation, which can lead to significant reputational damage and trust issue for all parties involved. They could also be liable to legal action or loss of business.
It's likely the ISPs have been advertising the web filter software as a value proposition to customers and charging them for it. If people could use the exposed database to bypass the web filter, ISPs would be at a further loss, their offer no longer an effective advertising tool.
Customers of the Affected ISPs
The greatest risk in this breach is to the people whose data was exposed. The database contained live traffic logs of all their online activities, along with PII of users. There was zero privacy for those affected, making them vulnerable to a wide range of online attacks and fraud that could have devastating effects, both personally and financially.
We were also able to find their social media accounts. This is known as doxing: using known data about a person to discover and expose their identity. Doxing is often done with malicious intent, with the exposed person subsequently targeted for bullying and harassment.
With access to a person’s porn history, hackers and cybercriminals could target them for bullying, or blackmail and extortion. Many people could be deeply embarrassed by their porn search history, and cybercriminals know this. By threatening to expose a victim’s online porn activity to their families or work colleagues, criminals could extort large sums of money.
In the case of Venezuela, a country that Conor works in, porn is illegal. While we didn’t see any records from Venezuela, if an ISP was to reveal illegal porn browsing by a customer, they would be even more vulnerable to legal repercussions by the government as well as being more susceptible to blackmail.
Advice from the Experts
Conor could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For Conor’s Clients
We recommend reassessing or auditing your inhouse data security and privacy protocols. You should also thoroughly vet any third-party applications you adopt or contractors you hire to ensure they’re following up-to-date data security best practices. In the meantime, contact Conor directly to find out how they have resolved this data leak and what steps they’re taking to ensure something like this doesn’t happen again.
For Customers of the Affected ISPs
If you’re concerned that you’ve been exposed in this data leak, contact your ISP to find out whether they have contracted Conor to build software for them in the past. They should be able to provide you with any information related to this leak and whether you were potentially exposed.
The most effective action you can take to ensure you’re compromised in this leak, or any other, is to download a VPN. The breached database contained logs of all a user’s internet activity. The only way to stop this from happening again is with a VPN. Connecting to the internet via a VPN encrypts your data and hides your activity, even from your ISP. If you’re concerned about data security and vulnerabilities, read our complete guide to online privacy.