Unprotected Amazon S3 Server Exposes Millions of Verizon Customer Records
Millions of Verizon customer records have been exposed by an Israeli technology company, a ZDNet report claimed last night. According to the report, as many as 14 million Verizon customers who called the company's customer service in the past six months may have their data exposed.
Verizon has now confirmed that 6 million records were compromised by Nice Systems - carrier's partner company that handles customer service calls.
The data was found by a security researcher on an unprotected Amazon S3 storage server, which was controlled by an employee of Nice Systems. However, the data was accessible to anyone who knew the "easy-to-guess" web address. Speaking to CNN, Verizon claims that no other external party had access to this data and that there has been no loss of customer data. The company hasn't explained how it's certain that no one has had access to this data.
Verizon secured data 9 days after it was informed
Chris Vickery, a known security researcher who is currently working with the security firm UpGuard, first noticed this data on June 13. It took Verizon nine days to secure the data after Vickery privately informed the company. The customer data was eventually secured on June 22.
The leaked customer records were in a log file that was generated to verify account holders by Verizon. However, these logs were also analyzed by Nice to "realize intent, and extract and leverage insights to deliver impact in real time." This leaked data affects customers who called the company from January through June, as the folders contained daily log files.
The customer records contain hundreds of data fields, including a customer's name, their phone number, home address, email address, account balance, and their account PIN that can give anyone access to the account.
According to the security researcher, some records were partially redacted, however, subscriber impersonation is still possible. Cybersecurity experts have warned of phone hijacking and account takeovers, which could potentially lead to social media account hacking, bypassing even the two-factor authentication that relies mainly on text messages.
This isn't the first time Verizon is suffering from a massive data breach. Last year, hackers stole data from the company's enterprise unit and put it up online for sale.
Both Verizon and Nice have said they are investigating the issue. Nice offers its services to 85 of the Fortune 100 companies, which means this incident could cause panic in its client list that includes several government intelligence agencies as well. Verizon has also put most of the blame on Nice for this security breach.
"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," a company spokesperson said. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access."
Experts have advised Verizon customers to update their PIN codes to avoid any security issues.