In April–May 2019, security researchers Noam Rotem and Ran Locar discovered an unsecured Elasticsearch database belonging to Apptium Technologies, a third-party vendor that managed customer support and digital operations systems for Freedom Mobile — Canada’s fourth-largest wireless carrier (owned by Shaw Communications).

The database was publicly accessible without any password or authentication. Rotem and Locar discovered it on approximately April 17, 2019 and attempted to report it to Freedom Mobile that same day, receiving no response. After following up on April 24, Freedom Mobile acknowledged the report on April 25 and the database was secured. The researchers subsequently disclosed their findings publicly via VPNMentor’s research blog, covered by TechCrunch on May 7, 2019.

The Elasticsearch server contained approximately five million log entries, with the breach window confirmed by Freedom Mobile as March 25 to April 16, 2019. Freedom Mobile stated that approximately 15,000 customers had data actively accessed or at risk, though researchers noted the server logs spanned a far larger customer population.

Exposed data included customer names, email addresses, phone numbers, home addresses, dates of birth, Freedom Mobile account numbers, and customer type classifications. Critically, the database also contained answers to Equifax credit checks that Freedom Mobile ran on new applicants — including approval/rejection decisions and reasoning — alongside unencrypted credit card numbers and CVV codes for customers who had provided payment information. The inclusion of CVV codes in plaintext was particularly egregious, as PCI DSS explicitly prohibits storing CVV data post-authorization.

Freedom Mobile and Apptium’s failure to secure the database violated both Canadian PIPEDA privacy law and PCI DSS payment card standards. The exposure was reported to the Office of the Privacy Commissioner of Canada. Freedom Mobile offered credit monitoring to affected customers.

The incident was notable for the severity of data exposed (unencrypted CVVs, credit check results), the fact that a new third-party vendor relationship was the failure point, and the sluggish initial response to researcher disclosure. It illustrated the risks of outsourcing customer data management to vendors without rigorous security validation and contractual data handling requirements.