Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers

Six million of Verizon's US customers had their personal and account information exposed, including PIN numbers.

Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.

The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE's cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.

UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.

In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan O'Sullivan, a cyber resilience analyst for UpGuard. "Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions," he says.

What's unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to O'Sullivan. "The PINs are used to identify a customer to a customer care person," O'Sullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individual's account.

Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: "To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

"An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," Verizon said.

How it Went Down

NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizon's statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.

Meanwhile, on June 8, UpGuard's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain "verizon-sftp." The repository held six folders with titles spanning "Jan-2017" to "June-2017" and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.

Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuard's report.

"There was a fairly long duration of time before it was fixed, which is troubling," O'Sullivan says.

Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazon's S3 bucket. Earlier this year, UpGuard also discovered a similar situation that involved the Republican National Committee (RNC), which left millions of voter records exposed on the cloud account.

As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon's AWS S3. That third-party also improperly set the database to public rather than private.

"The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain," O'Sullivan says. "Verizon did not own the server that was involved here, but it will own the consequences."

Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. "This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest," Campagna said in a statement.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Routingexperts
50%
50%
Routingexperts,
User Rank: Apprentice
8/14/2019 | 5:00:20 AM
Re: So Soon?
I appreciate your writing skill, thanks for sharing such kind of great information. I read your full article and also I recommend it to others to share more. I agree with your right words. 
AllinD033
50%
50%
AllinD033,
User Rank: Apprentice
4/26/2019 | 6:12:07 AM
Re: Complexity
thanks yes you are right dear.
Rhianprentice
50%
50%
Rhianprentice,
User Rank: Apprentice
1/11/2019 | 11:17:59 AM
Re: So Soon?
To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

 
miguelgardner
50%
50%
miguelgardner,
User Rank: Apprentice
9/18/2018 | 11:56:21 AM
Re: So Soon?
I like your site and writing very much. I saved it on bookmarks. Thank you for your valuable information.
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:27:40 AM
Re: So Soon?
interesting site, thanks guys, add it to your bookmarks!
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:25:52 AM
You definitely put a brand new spin
You definitely put a brand new spin on a subject that has been discussed
for many years. Excellent stuff, just excellent 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/20/2017 | 4:00:22 PM
Re: Two weeks of unnecessary exposure?
@Charlie: Chalk that up, I suspect, to a combination of bureaucracy and "CYA" processes. ;)
decornel
50%
50%
decornel,
User Rank: Apprentice
7/18/2017 | 4:14:31 PM
Re: Complexity

When bean counters become Engineers we all suffer.  And when assessing risk it becomes a little less risky when it's someone else's data.  The good part is that eventually we will all have so much data stolen that it won't matter because we will all be owned.  Reboot the Matrix.

Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/13/2017 | 7:56:26 PM
Two weeks of unnecessary exposure?
It took Upguard five days to notify Verizon, and it took Verizon nine more days to close the public access. or 14 days of additional exposure -- longer than necessary, by both parties?
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
7/13/2017 | 6:26:37 PM
So Soon?
This may be a coincidence, but our logs show that, last night, our website was hit by hackers, all running the same optimistic hack script (""POST /xmlrpc.php"), from these addresses: 184.72.209.94 Amazon.com; United States 34.203.28.190 Amazon.com; United States 34.207.145.30 Amazon.com; United States 34.210.21.112 Amazon.com; United States 34.227.111.122 Amazon.com; United States 34.227.65.182 Amazon.com; United States 35.154.154.10 Amazon.com; Amazon Data Services 52.201.248.46 Amazon.com; United States 54.175.234.31 Amazon.com; United States 54.187.35.209 Amazon.com; United States 54.71.24.41 Amazon; United States 54.90.130.226 Amazon.com; United States I suspect that those user credentials are being used by at least one party.
Page 1 / 2   >   >>
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...