Information including the names, physical addresses, emails, account numbers and conversation logs of Arizona CenturyLink customers have been leaked in an online database for 10 months, according to researchers.
Comparitech first reported of the database, which was found in collaboration with security researcher Bob Diachenko earlier this month. The Arizona Attorney General’s Office confirmed to Arizona Mirror that it is aware of the leak.
“We are aware of the CenturyLink data breach, but all information we have is confidential (under) the data-breach notification statute and the Arizona Consumer Fraud Act,” said AG’s spokeswoman Katie Conner.
When Diachenko discovered the database on Sept. 15, he notified CenturyLink and the database was closed two days later. But it had already been online for nearly a year, according to Comparitech.
The database obtained by Comparitech contained 2.8 million records and was first published online in November 2018.
Comparitech also reported that the Federal Communication Commission is investigating the data breach.
Credit card information, social security information or other data that is considered highly personal wasn’t part of the leak, however, the data could be used in targeted phishing attacks by scammers or spammers.
As Comparitech noted, the information could also lead to assisting criminals in physical crimes by allowing them knowledge of when a technician would be coming to a home if they are able to log in to an account using credentials they were able to obtain via the data breach.
CenturyLink did not respond to multiple requests for comment.
The company did provide Comparitech with a statement saying it has been working to address security issues and are “conducting a thorough investigation of the incident.”
“The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers,” the statement said.
This isn’t CenturyLink’s first time dealing with a major security breach.
Last year, a lawsuit filed against the company and DirecTV alleged the companies failed to adequately protect consumer data which was openly accessible on the internet. The lawsuit was settled out of court later that year and about 1,000 customers affected got about $700 each.
It is not entirely clear how many Arizonans were impacted by this breach.
The AG’s Office recommends that anyone who fears they may have been the subject of a breach should change their passwords, review recent financial activity, get a free credit report, place a credit freeze on your accounts and be wary of spam emails and calls.
If you believe you have been a victim of identity fraud the AG’s Office suggests filing a police report with your local law enforcement agency, notifying all three credit reporting agencies and visiting the FTC’s Identity Theft website.