Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers

Six million of Verizon's US customers had their personal and account information exposed, including PIN numbers.

Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.

The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE's cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.

UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.

In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan O'Sullivan, a cyber resilience analyst for UpGuard. "Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions," he says.

What's unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to O'Sullivan. "The PINs are used to identify a customer to a customer care person," O'Sullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individual's account.

Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: "To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

"An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," Verizon said.

How it Went Down

NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizon's statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.

Meanwhile, on June 8, UpGuard's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain "verizon-sftp." The repository held six folders with titles spanning "Jan-2017" to "June-2017" and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.

Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuard's report.

"There was a fairly long duration of time before it was fixed, which is troubling," O'Sullivan says.

Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazon's S3 bucket. Earlier this year, UpGuard also discovered a similar situation that involved the Republican National Committee (RNC), which left millions of voter records exposed on the cloud account.

As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon's AWS S3. That third-party also improperly set the database to public rather than private.

"The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain," O'Sullivan says. "Verizon did not own the server that was involved here, but it will own the consequences."

Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. "This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest," Campagna said in a statement.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Routingexperts
50%
50%
Routingexperts,
User Rank: Apprentice
8/14/2019 | 5:00:20 AM
Re: So Soon?
I appreciate your writing skill, thanks for sharing such kind of great information. I read your full article and also I recommend it to others to share more. I agree with your right words. 
AllinD033
50%
50%
AllinD033,
User Rank: Apprentice
4/26/2019 | 6:12:07 AM
Re: Complexity
thanks yes you are right dear.
Rhianprentice
50%
50%
Rhianprentice,
User Rank: Apprentice
1/11/2019 | 11:17:59 AM
Re: So Soon?
To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

 
miguelgardner
50%
50%
miguelgardner,
User Rank: Apprentice
9/18/2018 | 11:56:21 AM
Re: So Soon?
I like your site and writing very much. I saved it on bookmarks. Thank you for your valuable information.
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:27:40 AM
Re: So Soon?
interesting site, thanks guys, add it to your bookmarks!
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:25:52 AM
You definitely put a brand new spin
You definitely put a brand new spin on a subject that has been discussed
for many years. Excellent stuff, just excellent 
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
7/22/2017 | 5:34:05 AM
Re: 192.168.1.1
Joe, I am absolutely agree with you, it's really right words
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/20/2017 | 4:00:22 PM
Re: Two weeks of unnecessary exposure?
@Charlie: Chalk that up, I suspect, to a combination of bureaucracy and "CYA" processes. ;)
decornel
50%
50%
decornel,
User Rank: Apprentice
7/18/2017 | 4:14:31 PM
Re: Complexity

When bean counters become Engineers we all suffer.  And when assessing risk it becomes a little less risky when it's someone else's data.  The good part is that eventually we will all have so much data stolen that it won't matter because we will all be owned.  Reboot the Matrix.

Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/13/2017 | 7:56:26 PM
Two weeks of unnecessary exposure?
It took Upguard five days to notify Verizon, and it took Verizon nine more days to close the public access. or 14 days of additional exposure -- longer than necessary, by both parties?
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.