Another day another massive data leak – This time it is being reported that personal details of 14 million Verizon Wireless customers have been exposed online due to a misconfigured cloud-based file repository on behalf of a third-party vendor in Israel known as Nice system.
The data repository, an Amazon Web Services S3 bucket was being administered by a company’s employee while the exposed data itself includes names, account details, account personal identification numbers (PINs) and addresses of Verizon customers.
The massive trove of data was discovered by UpGuard’s security researcher Chris Vickery on 8th June 2017. Vickery also noted another file on the server containing French-language text files belonging to Orange S.A., a France-based multinational telecommunications corporation who also uses services provided by the Nice system.
Nice System, is known for providing telephone voice recording, surveillance, data security services as well as analyzing the recorded data. According to a blog post by UpGuard’s Dan O’Sullivan:
“It appears to have been created to log customer call data for unknown purposes.”
Vickery reported the incident to Verizon while the data was fully secured on June 22nd. Meanwhile, the discovery was kept confidential since the data was available for anyone to download simply by entering the S3 URL.
“Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication,” writes Dan O’Sullivan.
Rich Campagna, CEO of Bitglass commented on the issue and told HackRead that: “This breach demonstrates the fact that while cloud services like AWS can be secure, it is up to the organizations using them to ensure that these services are configured in a secure fashion. In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively ensured the appropriate configuration of the cloud service, denied unauthorized access and encrypted the sensitive data at rest. Companies like Verizon must insist that third party vendors like Nice protect their customer data as they move it to the public cloud.”
Thomas Fischer, threat researcher and global security advocate at Digital Guardian said that: “The advent of new computing platforms and data protection legislation, such as the GDPR, have combined to create the perfect storm. Now, threatened with significant fines for non-compliance, organizations must ensure data is secure across the entire supply chain and across all platforms. In order to adapt to these changes, organizations need to take into account new threat vectors that simply would not have existed even a few years ago. If Verizon had an effective security policy review process in place and was integrating third parties into this methodology, this incident could likely have been avoided. Outsourcing to new technology partners does not mean that you can reduce security initiatives. In fact, it actually means you need to put in place a stronger set of controls.”
The question which remains unanswered is why an Israeli company is keeping call records of Verizon Wireless customers without informing them. It seems like the American telecom giant has put the privacy of its millions of customers at risk since it is the company’s responsibility to secure user data.
Also, if the data had gone into the hands of cyber criminals, one could have expected large-scale social engineering scams. In case the data was downloaded by a spy agency of another country, it would have been a jackpot for them.
However, this is not the first time when Verizon Wireless had its data exposed online. In March 2016, the company suffered a massive data breach in which data of 1.5 million customers was stolen. In 2012, 3 million customer records of the company were leaked online after a hacker breached Verizon’s database.
Verizon is claiming that personal data of 6 million customers have been leaked online. However, UpGuard researchers are sticking with the initial number of 14 million users.