a data center
PHOTO: Sean Ellis

TrueDialog, an SMS texting solutions provider, exposed tens of millions of text messages and other sensitive private information because it did not secure its database properly, according to a report from vpnMentor, a company that exposes internet hacks. 

VpnMentor researchers found that TruDialog “compromised the security and privacy of millions of people across the USA,” exposing text messages, millions of account usernames and passwords and PII data of its users and their customers. 

Businesses can glean important lessons from this breach, privacy experts told CMSWire. But first, here are some details about the breach as reported by vpnMentor, and TrueDialog's response to that report.

Mapping Project Leads to Breach Find

TrueDialog enables businesses to send mass text messaging, marketing SMS options, urgent alerts, education SMS and more. vpnMentors researchers discovered the breach Nov. 26. How did they discover the breach in TrueDialog’s database? Researchers, in a “huge web mapping project,” used port scanning to examine particular IP blocks and test open holes in systems for weaknesses. Their team was able to access TrueDialog’s database “because it was completely unsecured and unencrypted.” vpnMentor using an Elasticsearch database, was able to access it via a browser and manipulate the URL search criteria into exposing the database schemata. 

The TrueDialog database is hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the U.S.. However, in an interview with CMSWire, vpnMentor stressed Oracle Marketing Cloud and Eloqua were not at fault here. “We saw in the database logs related to these platforms, but these platforms have nothing to do with the leak,” Lisa Taylor, researcher at vpnMentor, wrote in an email to CMSWire.

Related Article: 11 Tips to Prevent Customer Data Breaches

Unencrypted Message System an Easy Target

Researchers wrote it was “quite easy to identify TrueDialog as the database owner.” They found a host ID “api.truedialog.com” throughout. “The account credentials were not only left unprotected, but in cleartext as well,” vpnMentor researchers reported. “This means that anyone who accessed the database would be able to log in to the company account, change the password and do an incredible amount of damage.”

"This is another fallout of the unencrypted message system that TrueDialog uses," vpnMentor researchers reported. They shared that this would make it easy for a corporate spy to read confidential messages that were sent by a rival company and the data may  include marketing campaigns, roll out dates for a new products, new product designs or specifications and much more.

TrueDialog: No Evidence Data Accessed

The vpnMentor's report emphasizes the potential damage that could happen in such a breach, however, TrueDialog itself has claimed that its ongoing internal investigation has not revealed any unknown malicious access. 

John Wright, CEO of TrueDialog, was asked by CMSWire to respond to vpnMentor's report. Wright told CMSWire his company was notified Thursday Nov. 28 that white hat security researchers discovered that text message logs between TrueDialog business customers and individuals were potentially accessible on one of its Azure servers for a short period. The data was located at a nonpublished network port which is now secured, Wright said.  "We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible," Wright added. 

What Information Was Involved? 

TrueDialog's initial analysis revealed that approximately 97% of the database content at issue were records of "one-way bulk text alerts and generic replies," such as recurring text subscriptions and opt-out requests, which contained no personally identifiable information, according to Wright. "Although our review of the data is still ongoing, we have so far been able to determine that 99.9% of the total records contain no personally identifiable information," said Wright, refuting vpnMentor's report that exposed data included PII. "Again, while our investigation is still under way, at this point there has been no evidence of harm or damage to any of our customers or consumers as a result of this incident." 

External Security Experts Consulted 

Wright said his company has engaged external security experts to assist with this incident and its safeguards to detect and prevent unauthorized access to its business records. "We are continuing to review the remaining message log data and will notify relevant parties in the event we learn any additional facts that would trigger additional concerns under applicable law," he said. "TrueDialog is committed to ensuring that your data is protected, and we apologize to our customers and any affected consumers for the concern and frustration this incident caused. Protecting your information is critical to us and we are working to continuously strengthen our defenses."

Consider Alternative to Outsourcing

Regardless of what vpnMentor and TrueDialog agree or disagree on, businesses can learn from this breach, as they trust a provider with their customer data. Taylor said that if companies decide to outsource a service such as TrueDialog’s, they have no choice but to understand that this can — and probably will — happen.  “A better option may be to integrate a service like that in their system instead of outsourcing it so they would be the only one to manage their users' data, and it wouldn't be managed by a third party who might leak it,” Taylor said. “This would definitely require knowledge regarding the implementation as well as the security in order for these companies not to be the source of the leak themselves. But at least the data will be in their hands.” 

The bottom-line here is that you can never know how the data you provide to a third party is managed and secured, Taylor added, which is why you should be careful with the data you share with them.

Related Article: How US Organizations Are Responding to GDPR and the Need for Data Privacy

Assume Data Will Be Leaked

There is nothing that users can do when subscribing to a service to make sure the service won't leak the data, Taylor said. “The only thing they should do, though, is to assume their data could leak, and, if so, how critical would this be for them,” she said. “How would a leak of the data they provide impact their life?” 

Your business’ consumers need to be aware of these leaks, that they can happen to anyone, and that they happen on a daily basis, Taylor added. “Unfortunately, we've seen this happening a lot: people trusting companies and companies leaking their data by 'mistake,’” she said. 

Check on Encryption Standards

Businesses partnering with a large provider for its customer communications need to go beyond expectations of encryption and actually check it's happening with their new partners. “You can see these last few years: more and more texting apps that are ‘privacy-oriented’ popping up,” Taylor said. "We wouldn't expect these to leak, but if it does happen, then we do expect everything to be encrypted there. It wasn't the case here. Texts were fully readable, as well as login credentials.”

Plan for the Worst; Hope for Best

Robert Reeves, co-founder and CTO of Datical, a database release automation software provider, said when you rely on an external provider to handle sensitive data, you must ask the vendor: What happens when there is a breach? "If your vendor responds with reasons why it won’t happen, that’s a bad sign," he said. “Having a response plan is an indicator the company has worked through the possibility of a breach. It shows a level of responsibility that I believe leads to avoiding breaches in the first place. Hubris is the first step in lax security.”

Companies must always ask themselves, “What will happen to my business if this provider is breached? — That sort of questioning,” Reeves said, “allows you to weigh the ease of using a service provider providing your own solution. However, unless you are able to provide a higher level of security, your best choice is to find a selection of providers and question them specifically on security and breach response.”

Related Article: Top Customer Data Breaches for 2017

Has Your Partner Had a Security Audit?

This lapse by TrueDialog resulted from negligence and could have been easily prevented through a routine security audit, Reeves said. “Isn’t it better to find out from a family member that you have something stuck in your teeth than to walk around the office all day with it?” he asked. “Of course, if you think performing a security audit is expensive, consider how expensive a security breach is.”