Private Data Of 6 Million Verizon Users Left Openly Accessible On The Internet
from the Whoops-a-Daisy dept
Yet another company has been caught leaving personal customer data just sitting on an openly-accessible server for anybody to obtain and abuse. According to Upguard and security researcher Chris Vickery, the data was being stored by Nice Systems, a Ra’anana, Israel-based company employed by Verizon to store and analyze the data for an “unknown purpose.” The data, left unprotected on an Amazon S3 storage server by the company, included information on six million subscribers that had called Verizon support in the last six months, including customer names, phone numbers and the account pins used to access their accounts.
Vickery notes that the ability to abuse these pin numbers was particularly problematic:
“Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket?s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts?an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.”
Similarly problematic was the fact that Verizon and Nice were notified of the breach on June 13th, but the data wasn’t secured until June 22:
“This exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.”
For its part, Verizon tried to downplay the breach to ZDNet, laying the entirety of the blame on Nice while trying to insist that most of the data had no real value:
“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” said a spokesperson. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”…The phone giant said that the “overwhelming majority of information in the data set has no external value.”
Yeah, not comforting. The timing is ironic given that Verizon was one of several ISPs that just got done lobbying Congress and the Trump administration to kill new FCC broadband privacy protections that would have taken effect back in March. Those rules (pdf) would have not only required that ISPs be transparent about what third party data vendors obtain and store customer information, but required ISPs adhere to basic private data storage and protection standards, and quickly notify subscribers when their data is exposed (impacted users in this instance do not appear to have been notified yet).
Verizon had long argued that telecom privacy protections aren’t necessary because the industry could “self regulate,” something quickly disproven when Verizon was busted a few years ago covertly modifying wireless user data packets to track their behavior around the internet. At one point the company insisted that privacy protections aren’t necessary because “public shame,” would keep the company honest — something that’s a bit difficult when customers have absolutely no idea who’s collecting, reviewing, or storing (poorly) their personal information in the first place.
Filed Under: chris vickery, data, security
Companies: nice systems, verizon
Comments on “Private Data Of 6 Million Verizon Users Left Openly Accessible On The Internet”
These kinds of breaches will keep happening unless we hold the ones that should be protecting the data liable and impose fines. I also want an unicorn.
TJ Maxx, I mean Verizon, will surely develop best practices and good security audits after this.
The phone giant said that the "overwhelming majority of information in the data set has no external value."
Funniest of the Week. Hands down.
They’re sincere, of course! "No external value", beyond managing one’s account. So while you could make changes to someone’s cell, landline, TV or Internet service, you couldn’t use that information externally, for example, to buy a can of peas at a supermarket. No problem, bro!
“The overwhelming majority of information in the data set has no external value.”
Well, I believe that… Verizon would never lie… Lying is bad, Verizon only has our best interests at heart and loves us all… Haven’t you seen the commercials and read their advertisements.
Also… I’d like my unicorn in a light blue with a rainbow mane please.
As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.
By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.
To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts. Finally, the number of subscriber accounts included in the media report is overstated. The actual number is approximately 6 million unique customers.
Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers.
Well, at least it doesn’t take the PR department nine days to do its job.
“and incorrectly set the storage to allow external access”
That isn’t easy. It’s hard to do by accident. I’ve supervised or directly handled a very large number of S3 storage instances. I’ve never gotten it wrong. Nobody who works for me has ever gotten it wrong. Nobody (external) who works with me has ever gotten it wrong. In all the years, in all the myriad deployments, in all the diverse cases, even when rushing to make a deadline, NOBODY has ever gotten it wrong.
So at this very moment, you (Verizon) should be interrogating every single person involved in this fiasco to find out if it was done on purpose. And you should be permanently banning this vendor from doing business with Verizon.
It’s nice that it isn’t super dangerous information, and that you are pretty sure only the researcher discovered the unsecured data. This time. The point is that this is a symptom of systemic poor security with corporate America in general. Was the secret program and the data that insecure when Verizon was busily feeding the government all of the traffic it handled before that little scheme was retroactively made “legal”?
It’s great if no one was hurt, but Verizon has a long way to go before it is believed in regards to anything. I’m not aware of a single good corporate behavior it possesses.
(Note that another thing implied to be curbing the risk here is these are all wireline users, who are lucky if they have service with some quality at any given moment, if the lines aren’t simply left to die, or sold off. I suppose that can be mitigating after some fashion.)
Security, and Lacklustre Assurances
"the fact that Verizon and Nice were notified of the breach on June 13th, but the data wasn’t secured until June 22:"
If true, that’s unprofessional in the extreme, and belies Verizon’s response about being committed to security and privacy of their customers.
Re: Security, and Lacklustre Assurances
When the researcher called, they were outside of their cellular network and could not take the call. The researcher left a message, but the voicemail system was down the next day when they got back to an area with coverage. The following day, they finally got the message, but they had exceeded they had hit their data cap and were unable to use their internet connection to confirm what the researcher had told them until they got to the 20th and their billing cycle changed over to the next month. Once confirmed on the 20th, they tried to call to the corporate office, but the corporate office was having an internet connection issue preventing their internet-connected phone system from working.
So, they worked as fast as they could with the terrible communication system at their disposal.
Verzion has 146 million customers, 6 million were affected that’s roughly 1 out of every 50 customers.
*The phone giant said that the “overwhelming majority of information in the data set has no external value.”*
Well of course it doesn’t. Who the heck cares about a piddly 6 million customers?
Interviewer: Even though you have now secured this data, by giving it to another company to process and not ensuring that it would not be exposed you have basically screwed your customers.
Verizon: But now they should be satisfied.