Chilean mobile network operator WOM exposes customer contracts


WOM failed to set a password on its cloud storage, leaking more than a million contracts containing highly sensitive customer data.

At the beginning of March, the Cybernews research team discovered a publicly accessible Amazon Web Services (AWS) S3 bucket belonging to the South American telecommunication company.

The passwordless cloud storage exposed a directory named ‘wom-contratos’ containing more than a million files with scanned pre-paid mobile contracts, putting part of the company’s eight million clients at risk.

ADVERTISEMENT

The contracts contained private customer data, including the highly sensitive RUT (Rol Único Tributario) numbers. The nine-digit RUT number serves as the primary identifier of entities and individuals for administrative and tax purposes in Chile.

Leaked personal data includes:

  • Full name
  • Phone number
  • Home address
  • Email addresses
  • RUT (Rol Único Tributario) number, Chilean equivalent of ID number
  • The date and location of contract signing
wom data leak sample
Sample of the leaked data. Image by Cybernews,

A major cause of concern is that the customer data was accessible to anyone on the internet for at least a couple of months. In the hands of malicious actors, the leaked data causes a tremendous risk of identity theft and financial fraud.

RUT numbers, in combination with personally identifiable information (PII), such as full names, addresses, and phone numbers, enable cybercriminals to impersonate individuals, open fraudulent accounts, apply for credit, or engage in tax-related fraud.

"RUT numbers in Chile are similar in sensitivity and consequences of exposure to Social Security numbers in the US,” said Aras Nazarovas, information security researcher at Cybernews.

“Other exposed PII is also commonly used for indiscriminate attacks such as phishing and spam, as well as targeted attacks such as doxxing and identity theft, which is made easier for the attacker due to the exposed RUT numbers being tied to other personal information.”

ADVERTISEMENT

Cybernews contacted the company, and the access has been secured. An official comment has yet to be received.

WOM was founded in 2015 through the acquisition of telecommunications company Nextel Chile by private equity fund Novator Partners LLP. It rapidly emerged as the fastest-growing wireless communications operator in the country, capturing a market share of 25.8% with over eight million customers.

In April of this year, the company filed for bankruptcy, quoting fierce competition and funding struggles and delayed 5G rollout.

It is not the first time that the personal identification numbers of individuals in South America have been leaked. In January, Cybernews discovered another massive data leak of Cadastro de Pessoas Físicas (CPF) numbers, identifying individual taxpayers in Brazil. With hundreds of millions of CPFs exposed, the leak might have affected the entire population of Brazil.