News : Verizon Security Scare Sees '14 Million Customer Accounts' Left Exposed Online
New York, NY, USA, July 12, 2017 -- The personal details of up to "14 million customers" of US communications provider Verizon, including names, addresses, account records and account PIN numbers, were left exposed online on a cloud server without adequate password protection, a security firm has claimed.
According to cybersecurity firm UpGuard, one of its researchers uncovered the database and its terabytes of internal files without any meaningful protection.
The cloud-based Amazon Web Services (AWS) repository was "downloadable and configured to allow public access," the firm said. And it was exposed – where anyone could have downloaded and exploited the information – for the good part of a month.
In a blog post published on Wednesday 12 July, UpGuard said it was initially found on 8 June, reported on 13 June and later resolved on 22 June 2017.
The repository reportedly contained six folders dated from January to June this year.
In one text file the researchers uncovered "six thousand" unmasked PIN codes - assigned to individual customers to identify accounts. Upon analysis, the records were linked to Verizon customer call centre logs which used Nice Systems' technology.
UpGuard cyber resilience analyst Dan O'Sullivan branded some aspects of the find "troubling".
Sponsor message - content continues below this message
Employee Engagement Awards NOW OPEN!
Enter your center,and compete for this prestigious award to attract new staff and show investors and customers you are #1 in your nation!!
Content continues ….
"The exposure of Verizon account pin codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning," he wrote.
"Possession of [...] account pin codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication."
UpGuard said that once the leaked files were unzipped and analysed it was found the contents were listed in the format of daily customer logs – with some text documents as large as 23GB. One included voice recognition data from a phone support line – but no recordings were exposed.
Interestingly, the researcher also found data that appeared to be linked to French telecommunications firm Orange, another partner of Nice Systems.
UpGuard said this trove of leaked data was "less sensitive" but still noteworthy as the rest of the repository was all Verizon records.
"Third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements," O'Sullivan continued.
"There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor's side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise."
'No loss or theft'
In a statement to IBTimes UK, a Verizon spokesperson said: "An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access.
"We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.
"The vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call centre portal and required certain data for the project.
"The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area."
The firm claimed the number of subscriber accounts included in the UpGuard report was "significantly overstated" but did not provide an additional figure to publish.
A spokesperson for Nice Systems said: "Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that Nice divested several years ago and no longer has anything to do with our business.
"This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project."
It's not uncommon for exposed information, especially when collected by third-party vendors, to be left online in a misconfigured manner.
Posted by Veronica Silva Cusi, news correspondent
Today's Tip of the Day - Ask For Feedback
More Editorial From Verizon
Meeting challenges of your extended enterprise: For enterprises and government agencies around the world, like yours, we are a provider of global IT, security, and communication solutions, with one of the world’s most connected IP networks. We combine our broad range of strategic solutions, services, and expertise to help some of the world's largest organizations - including 96% of the Fortune 1000 - and governments - meet the challenges of their increasingly extended enterprises.
Published: Thursday, July 13, 2017
8x8, Inc. (Nasdaq: EGHT) leverages its patented software technologies to deliver high quality voice solutions with integrated messaging and video to businesses of any size with employees in any locati...
Genex, part of the IPE Group UK, is an outsourcing provider of customer experience management. We achieve results through transforming our clients' businesses and delivering excellence in customer exp...
NICE (NASDAQ: NICE), is a worldwide provider of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in re...
|Bright Pattern Inc|
Bright Pattern is an effective cloud contact center software which helps businesses to simplify multichannel service. Bright Pattern’s solution features enterprise-grade architecture that offers n...