Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers

Six million of Verizon's US customers had their personal and account information exposed, including PIN numbers.

Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.

The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE's cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.

UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.

In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan O'Sullivan, a cyber resilience analyst for UpGuard. "Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions," he says.

What's unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to O'Sullivan. "The PINs are used to identify a customer to a customer care person," O'Sullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individual's account.

Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: "To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

"An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," Verizon said.

How it Went Down

NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizon's statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.

Meanwhile, on June 8, UpGuard's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain "verizon-sftp." The repository held six folders with titles spanning "Jan-2017" to "June-2017" and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.

Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuard's report.

"There was a fairly long duration of time before it was fixed, which is troubling," O'Sullivan says.

Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazon's S3 bucket. Earlier this year, UpGuard also discovered a similar situation that involved the Republican National Committee (RNC), which left millions of voter records exposed on the cloud account.

As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon's AWS S3. That third-party also improperly set the database to public rather than private.

"The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain," O'Sullivan says. "Verizon did not own the server that was involved here, but it will own the consequences."

Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. "This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest," Campagna said in a statement.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Routingexperts
50%
50%
Routingexperts,
User Rank: Apprentice
8/14/2019 | 5:00:20 AM
Re: So Soon?
I appreciate your writing skill, thanks for sharing such kind of great information. I read your full article and also I recommend it to others to share more. I agree with your right words. 
AllinD033
50%
50%
AllinD033,
User Rank: Apprentice
4/26/2019 | 6:12:07 AM
Re: Complexity
thanks yes you are right dear.
Rhianprentice
50%
50%
Rhianprentice,
User Rank: Apprentice
1/11/2019 | 11:17:59 AM
Re: So Soon?
To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

 
miguelgardner
50%
50%
miguelgardner,
User Rank: Apprentice
9/18/2018 | 11:56:21 AM
Re: So Soon?
I like your site and writing very much. I saved it on bookmarks. Thank you for your valuable information.
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:27:40 AM
Re: So Soon?
interesting site, thanks guys, add it to your bookmarks!
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:25:52 AM
You definitely put a brand new spin
You definitely put a brand new spin on a subject that has been discussed
for many years. Excellent stuff, just excellent 
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
7/22/2017 | 5:34:05 AM
Re: 192.168.1.1
Joe, I am absolutely agree with you, it's really right words
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/20/2017 | 4:00:22 PM
Re: Two weeks of unnecessary exposure?
@Charlie: Chalk that up, I suspect, to a combination of bureaucracy and "CYA" processes. ;)
decornel
50%
50%
decornel,
User Rank: Apprentice
7/18/2017 | 4:14:31 PM
Re: Complexity

When bean counters become Engineers we all suffer.  And when assessing risk it becomes a little less risky when it's someone else's data.  The good part is that eventually we will all have so much data stolen that it won't matter because we will all be owned.  Reboot the Matrix.

Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/13/2017 | 7:56:26 PM
Two weeks of unnecessary exposure?
It took Upguard five days to notify Verizon, and it took Verizon nine more days to close the public access. or 14 days of additional exposure -- longer than necessary, by both parties?
Page 1 / 2   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.