Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers

  /     /     /  
Publicated : 22/11/2024   Category : security


Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers


Six million of Verizons US customers had their personal and account information exposed, including PIN numbers.



Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.
The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizons cloud-based file repository housed in an Amazon Web Services S3 bucket on NICEs cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.
UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.
In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan OSullivan, a cyber resilience analyst for UpGuard. Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions, he says.
Whats unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to OSullivan. The PINs are used to identify a customer to a customer care person, OSullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individuals account.
Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts, Verizon stated.
An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access, Verizon said.
How it Went Down
NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizons statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.
Meanwhile, on June 8, UpGuards cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain verizon-sftp. The repository held six folders with titles spanning Jan-2017 to June-2017 and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.
Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuards
report
.
There was a fairly long duration of time before it was fixed, which is troubling, OSullivan says.
Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazons S3 bucket. Earlier this year, UpGuard also discovered a
similar situation that involved the Republican National Committee
(RNC), which left millions of voter records exposed on the cloud account.
As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazons AWS S3. That third-party also improperly set the database to public rather than private.
The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain, OSullivan says. Verizon did not own the server that was involved here, but it will own the consequences.
Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest, Campagna said in a statement.
Related Content:
Personal Data Leak Affects 33 Million US Employees
Data Breaches Exposed 4.2 Billion Records In 2016
Cloud Security Lessons from the Voter Data Leak
8 Most Overlooked Security Threats
 

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers