Charter customer data discovered as exposed and password-free on cloud server

Charter Communications sign (use this one)

Charter Communications said it has removed customer data from an Amazon cloud server after a security research company blogged about finding it unprotected on the open internet. 

Kromtech Security Center said it discovered two cloud-based data repositories connected to the MyTWCapp, files maintained by Time Warner Cable software and services vendor BroadSoft, Inc. Charter closed its $49 billion purchase of TWC 15 months ago. Tech publication Gizmodo is being credited for first discovering the Kromtech post. 

According to Kromtech, more than 600 gigabytes of data, including user names, Mac addresses and account numbers, was discovered on Aug. 24, not protected by password. More than 4 million legacy TWC customers were affected. The data dated back to at least 2010.

“A vendor has notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources,” Charter said in a statement to Gizmodo. 

Charter said it removed the data immediately after it was informed of the breach and is investigating the matter. 

“There is no indication that any Charter systems were impacted,” Charter added. “We encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

A BroadSoft spokesperson confirmed the breach but said the company doesn’t believe the data is “highly sensitive.”

Some of the data included camera footage of operations within BroadSoft’s Bengaluru, India offices. 

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” said Bob Diachenko, Kromtech’s chief communications officer. “In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”