Verizon, the US telecommunications juggernaut, has admitted that the data of at least six million of customers, including names, addresses, account details and account PIN numbers, were exposed online.
The data had been exposed because Verizon’s third party partner NICE Systems, a company with a history of supplying technology for use in state-sponsored surveillance, did not limit external access to an Amazon S3 server.
UpGuard, a cybersecurity company that discovered the leak said that a misconfigured cloud-based file repository exposed the details of as many as 14 million US customers. It warned that beyond the risks of names, addresses and account information being made accessible, the exposure of Verizon account PIN codes used to verify customers, alongside their associated phone numbers, was of particular concern.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts – an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication”, the company wrote in a blog post.
It added that it notified Verizon of the breach on June 13, but the “ultimate closure” of the breach only occurred on June 22.
The discovery of the leak came on June 8, when UpGuard found a cxloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access – all anyone needed was the S3 URL.
Once on the page, folders for each month could be found with directories corresponding to each day of the month. Each day folder had a couple dozen or so compressed files, with some as large as 23 GB once unzipped. The contents included the records of individuals’ calls to a customer support line, and voice recognition log files, as well as the more personal data such as names, addresses, phone numbers – and information such as customer satisfaction tracking and service purchases. A large proportion of these files had the most sensitive data – such as the PIN and customer codes masked, but for some, there is no masking at all.
“NICE Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data. Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements,” said UpGuard.
“There is no difference between cyber-risk for an enterprise and cyber-risk for a third-party vendor of that enterprise. Any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise,” it added.
Veirzon has since told CNN Tech that the security issue was caused due to “human error”, and that no loss or theft of customer information occurred. It maintains that the personal data of six million customers was leaked online – rather than the 14 million suggested by UpGuard.
UPDATE: 17/07/2017 - Statement from NICE
We are aware of the published article.
Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.
This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.