Customer records of at least 14 million subscribers have been exposed in a major data breach at phone giant Verizon.
The leaked data, which included phone numbers and account PINs, was found on an unprotected Amazon S3 storage server controlled by an employee of Israeli tech firm Nice Systems. The data was open to download for anyone who found the easy-to-guess web address.
Amazingly, it took Verizon over a week to secure the data after security firm UpGuard privately disclosed the leak in late-June. UpGuard, who initially discovered the data, said in a blog:
“A misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.
“The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations.”
The security firm pointed out that discovery of PIN codes and their associated phone numbers was particularly concerning, potentially allowing scammers to access customer accounts.
Verizon has, as is the norm, launched an investigation into the breach, looking at how customer data was improperly stored on the AWS server. In a statement reassuring customers that no data had been stolen in the leak, Verizon said:
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”
“Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers.”
The carrier also played down concerns that PINS and associated phone numbers could be used to access customer accounts, saying that PINs are only used to authenticate calls to its call centre and do not provide online access.
Verizon also disputed the number of accounts involved in the leak, saying that the 14 million number was overstated and was in fact closer to 6 million accounts.
“With millions of exposed names, phone numbers and account PINs, the fallout from Verizon’s latest Amazon S3 leak will be felt for a long time to come,” said Jeff Nolan, CMO at SecureAuth.
“When an attacker has enough information about their target – gathered either through social engineering or from data breaches– they will contact the phone carrier and have the phone SIM card swapped to a new device. Once this is complete, all texts and phone calls will be sent to this device. Typically, the bad actor ports the number to some sort of virtual number, but there have been cases where the number is ported to a burner phone.”
This latest data breach follows in the wake of similar incidents where information has been left exposed in a misconfigured manner by third-party vendors.
“This breach demonstrates the fact that while cloud services like AWS can be secure, it is up to the organisations using them to ensure that these services are configured in a secure fashion,” said Rich Campagna, CEO, Bitglass.
“In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively ensured appropriate configuration of the cloud service, denied unauthorised access, and encrypted the sensitive data at rest. Companies like Verizon must insist that third party vendors like Nice protect their customer data as they move it to the public cloud.”
In a statement to CBR, NICE said:
“Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.
“This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.”