At least 14 million Verizon customer records, including phone numbers and account PINs, were reportedly exposed to the internet, but Verizon says no data was stolen.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
A researcher from security firm UpGuard found the data on a cloud server maintained by data analytics firm Nice Systems.
The data was not protected by a password and could easily have been downloaded and exploited by cyber criminals, the security firm said in a blog post.
“UpGuard director of cyber risk research, Chris Vickery, discovered a cloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access. The database and its many terabytes of contents could be accessed simply by entering the S3 URL,” the firm said.
Both Nice Systems and Verizon have confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed.
“An employee of one of our suppliers put information into a cloud storage area and incorrectly set the storage to allow external access,” the Verizon spokesperson told CNBC.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its supplier was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”
Verizon also said the subscribers affected was “overstated” and that the PINs that were available during the breach are not actually linked to customer accounts, but rather were numbers used to authenticate customers at call centers.
However, UpGuard said this exposure is a potent example of the risks of third-party suppliers handling sensitive data.
“The long duration of time between the initial 13 June notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on 22 June, is troubling,” the security firm said.
“Third-party supplier risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.
“Nice Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy. This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties.”
A spokesperson for Nice Systems told the International Business Times: “Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that Nice divested several years ago and no longer has anything to do with our business.
“This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.”
John Gunn, chief marketing office for VASCO Data Security, said the fact that no data may have been downloaded does not minimise the risk of instances such as this.
“Sure, a mid-air miss is better than an air flight disaster, but neither should ever happen. Data such as this can be used by hackers for all types of attacks, especially phishing attacks, by giving them legitimacy in the mind of the victim,” he said
Willy Leichter, vice-president of marketing at Virsec, said this incident raises thorny security issues because it seems both careless and suspicious.
“Obviously leaving millions of records unprotected is careless and implies a lack of controls, security and governance, in an organisation that is entrusted with vast quantities of legally protected personal information,” he said.
“But it’s equally suspicious is that this company with close government ties, a history of phone cracking and of supporting surveillance, would have ungoverned access to sensitive data and treat security so casually.”
Regardless, Leichter believes this will be a heated board-level issue for a $1bn company such as Nice, and a $125bn-plus company such as Verizon.
After the European General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018, he points out that if EU citizens’ data is involved, a single incident like this could attract a fine of up to $5bn, which is 4% of Verizon’s annual turnover.