Private Data Of 6 Million Verizon Users Left Openly Accessible On The Internet
from the Whoops-a-Daisy dept
Yet another company has been caught leaving personal customer data just sitting on an openly-accessible server for anybody to obtain and abuse. According to Upguard and security researcher Chris Vickery, the data was being stored by Nice Systems, a Ra'anana, Israel-based company employed by Verizon to store and analyze the data for an "unknown purpose." The data, left unprotected on an Amazon S3 storage server by the company, included information on six million subscribers that had called Verizon support in the last six months, including customer names, phone numbers and the account pins used to access their accounts.
Vickery notes that the ability to abuse these pin numbers was particularly problematic:
"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication."
Similarly problematic was the fact that Verizon and Nice were notified of the breach on June 13th, but the data wasn't secured until June 22:
"This exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."
For its part, Verizon tried to downplay the breach to ZDNet, laying the entirety of the blame on Nice while trying to insist that most of the data had no real value:
"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," said a spokesperson. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access."...The phone giant said that the "overwhelming majority of information in the data set has no external value."
Yeah, not comforting. The timing is ironic given that Verizon was one of several ISPs that just got done lobbying Congress and the Trump administration to kill new FCC broadband privacy protections that would have taken effect back in March. Those rules (pdf) would have not only required that ISPs be transparent about what third party data vendors obtain and store customer information, but required ISPs adhere to basic private data storage and protection standards, and quickly notify subscribers when their data is exposed (impacted users in this instance do not appear to have been notified yet).
Verizon had long argued that telecom privacy protections aren't necessary because the industry could "self regulate," something quickly disproven when Verizon was busted a few years ago covertly modifying wireless user data packets to track their behavior around the internet. At one point the company insisted that privacy protections aren't necessary because "public shame," would keep the company honest -- something that's a bit difficult when customers have absolutely no idea who's collecting, reviewing, or storing (poorly) their personal information in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris vickery, data, security
Companies: nice systems, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The phone giant said that the "overwhelming majority of information in the data set has no external value."
Funniest of the Week. Hands down.
[ link to this | view in chronology ]
Re:
They're sincere, of course! "No external value", beyond managing one's account. So while you could make changes to someone's cell, landline, TV or Internet service, you couldn't use that information externally, for example, to buy a can of peas at a supermarket. No problem, bro!
[ link to this | view in chronology ]
Well, I believe that... Verizon would never lie... Lying is bad, Verizon only has our best interests at heart and loves us all... Haven't you seen the commercials and read their advertisements.
Geez...
Also... I'd like my unicorn in a light blue with a rainbow mane please.
[ link to this | view in chronology ]
David.Samberg@verizonwireless.com
T. 914.329.5429
As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.
By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.
To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts. Finally, the number of subscriber accounts included in the media report is overstated. The actual number is approximately 6 million unique customers.
Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers.
http://www.verizon.com/about/news/verizon-responds-report-confirms-no-loss-or-theft-customer-informa tion
[ link to this | view in chronology ]
Re:
Well, at least it doesn't take the PR department nine days to do its job.
[ link to this | view in chronology ]
Re:
That isn't easy. It's hard to do by accident. I've supervised or directly handled a very large number of S3 storage instances. I've never gotten it wrong. Nobody who works for me has ever gotten it wrong. Nobody (external) who works with me has ever gotten it wrong. In all the years, in all the myriad deployments, in all the diverse cases, even when rushing to make a deadline, NOBODY has ever gotten it wrong.
So at this very moment, you (Verizon) should be interrogating every single person involved in this fiasco to find out if it was done on purpose. And you should be permanently banning this vendor from doing business with Verizon.
[ link to this | view in chronology ]
Re:
It's great if no one was hurt, but Verizon has a long way to go before it is believed in regards to anything. I'm not aware of a single good corporate behavior it possesses.
(Note that another thing implied to be curbing the risk here is these are all wireline users, who are lucky if they have service with some quality at any given moment, if the lines aren't simply left to die, or sold off. I suppose that can be mitigating after some fashion.)
[ link to this | view in chronology ]
Security, and Lacklustre Assurances
"the fact that Verizon and Nice were notified of the breach on June 13th, but the data wasn't secured until June 22:"
If true, that's unprofessional in the extreme, and belies Verizon's response about being committed to security and privacy of their customers.
[ link to this | view in chronology ]
Re: Security, and Lacklustre Assurances
So, they worked as fast as they could with the terrible communication system at their disposal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Well of course it doesn't. Who the heck cares about a piddly 6 million customers?
[ link to this | view in chronology ]
Satisfied customers
Verizon: But now they should be satisfied.
[ link to this | view in chronology ]