Axiom Telecom Data Exposure Included Debit Numbers, Passwords


(Bloomberg) -- An online database from one of the leading retailers of Apple Inc. and Samsung Electronics Co. mobile phones in the Middle East was exposed, including prepaid debit card numbers and personal information belonging to about 10,000 third-party salespeople.

The Axiom Telecom LLC data exposure, which is relatively small compared to some recent breaches, contained passwords belonging to third-party salespeople that appeared to unlock an app designed for their small businesses to place orders and view incentives and invoices, an Axiom official told Bloomberg News.

The security flaw may prove embarrassing for the company’s founder, Emirati entrepreneur Faisal Al Bannai, who is better known as the managing director of the cybersecurity company DarkMatter. That company has been under scrutiny for allegedly providing staff for a secret hacking operation that targeted human rights activists, journalists and other governments on behalf of a United Arab Emirates intelligence agency. DarkMatter previously denied involvement in any covert operations.

Ran Locar and Noam Rotem, security researchers based in Israel, said they discovered the exposed data in August.

Fahad Al Bannai, Axiom’s chief executive officer, said the company discovered “a weakness in one of our applications used in less than 5% of our business” during a regular system assessment.

“This has been corrected, and we are doing a comprehensive evaluation to ensure there are no other issues,” Al Bannai said, in an email. “To our knowledge there have been no malicious activities.”

In-House Security

Axiom and DarkMatter don’t work with each other, the Axiom official said. Instead, Axiom uses in-house security. The official requested anonymity in providing details about the incident.

Neither Faisal Al Bannai nor a DarkMatter spokeswoman responded to requests for comment about prior criticisms of that company.

Locar and Rotem had been scanning the Internet for exposed personal information when they stumbled upon an Axiom database that was incorrectly configured. That allowed anyone to download the data if they knew where to look, they said.

The exposed information included names, date of birth, mobile numbers, and emails for third-party salespeople. In addition, the logs contained scans and photos of identification cards of U.A.E. residents and Saudi citizens that were uploaded online through an Axiom sub-domain that was meant to be protected.

Those sub-domains were exposed due to a design flaw in an app used by a third-party dealer, the Axiom official said.

In all, the exposed data included about 10,000 records pertaining to 3,000 businesses, the Axiom official said. Axiom currently works with about 20,000 retail mobile stores, namely in Saudi Arabia and United Arab Emirates, the person said.

The company is currently working on a communication plan to inform those impacted, the Axiom official said.

©2019 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.