Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers

Six million of Verizon's US customers had their personal and account information exposed, including PIN numbers.

Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.

The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon's cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE's cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.

UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.

In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan O'Sullivan, a cyber resilience analyst for UpGuard. "Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions," he says.

What's unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to O'Sullivan. "The PINs are used to identify a customer to a customer care person," O'Sullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individual's account.

Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: "To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

"An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," Verizon said.

How it Went Down

NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizon's statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.

Meanwhile, on June 8, UpGuard's cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain "verizon-sftp." The repository held six folders with titles spanning "Jan-2017" to "June-2017" and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.

Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuard's report.

"There was a fairly long duration of time before it was fixed, which is troubling," O'Sullivan says.

Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazon's S3 bucket. Earlier this year, UpGuard also discovered a similar situation that involved the Republican National Committee (RNC), which left millions of voter records exposed on the cloud account.

As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon's AWS S3. That third-party also improperly set the database to public rather than private.

"The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain," O'Sullivan says. "Verizon did not own the server that was involved here, but it will own the consequences."

Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. "This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest," Campagna said in a statement.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/13/2017 | 7:32:04 AM
Complexity
Cloud evangelists love to talk about how the cloud can reduce complexity -- and it truly can.

But, in doing so, cloud also introduces its own form of complexity -- which can lead to lesser security, lesser data privacy, lesser compliance, and other revenue-impacting bugaboos. Migration is its own complex task. In many ways, it can be a trade-off -- with the idea that the gains in the long run will supersede the complexity costs of migration...but that sure doesn't erase those costs altogether!
decornel
50%
50%
decornel,
User Rank: Apprentice
7/18/2017 | 4:14:31 PM
Re: Complexity

When bean counters become Engineers we all suffer.  And when assessing risk it becomes a little less risky when it's someone else's data.  The good part is that eventually we will all have so much data stolen that it won't matter because we will all be owned.  Reboot the Matrix.

Shantaram
50%
50%
Shantaram,
User Rank: Ninja
7/22/2017 | 5:34:05 AM
Re: 192.168.1.1
Joe, I am absolutely agree with you, it's really right words
AllinD033
50%
50%
AllinD033,
User Rank: Apprentice
4/26/2019 | 6:12:07 AM
Re: Complexity
thanks yes you are right dear.
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
7/13/2017 | 6:26:37 PM
So Soon?
This may be a coincidence, but our logs show that, last night, our website was hit by hackers, all running the same optimistic hack script (""POST /xmlrpc.php"), from these addresses: 184.72.209.94 Amazon.com; United States 34.203.28.190 Amazon.com; United States 34.207.145.30 Amazon.com; United States 34.210.21.112 Amazon.com; United States 34.227.111.122 Amazon.com; United States 34.227.65.182 Amazon.com; United States 35.154.154.10 Amazon.com; Amazon Data Services 52.201.248.46 Amazon.com; United States 54.175.234.31 Amazon.com; United States 54.187.35.209 Amazon.com; United States 54.71.24.41 Amazon; United States 54.90.130.226 Amazon.com; United States I suspect that those user credentials are being used by at least one party.
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:27:40 AM
Re: So Soon?
interesting site, thanks guys, add it to your bookmarks!
miguelgardner
50%
50%
miguelgardner,
User Rank: Apprentice
9/18/2018 | 11:56:21 AM
Re: So Soon?
I like your site and writing very much. I saved it on bookmarks. Thank you for your valuable information.
Rhianprentice
50%
50%
Rhianprentice,
User Rank: Apprentice
1/11/2019 | 11:17:59 AM
Re: So Soon?
To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts," Verizon stated.

 
Routingexperts
50%
50%
Routingexperts,
User Rank: Apprentice
8/14/2019 | 5:00:20 AM
Re: So Soon?
I appreciate your writing skill, thanks for sharing such kind of great information. I read your full article and also I recommend it to others to share more. I agree with your right words. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/13/2017 | 7:56:26 PM
Two weeks of unnecessary exposure?
It took Upguard five days to notify Verizon, and it took Verizon nine more days to close the public access. or 14 days of additional exposure -- longer than necessary, by both parties?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/20/2017 | 4:00:22 PM
Re: Two weeks of unnecessary exposure?
@Charlie: Chalk that up, I suspect, to a combination of bureaucracy and "CYA" processes. ;)
Winema
50%
50%
Winema,
User Rank: Apprentice
1/6/2018 | 2:25:52 AM
You definitely put a brand new spin
You definitely put a brand new spin on a subject that has been discussed
for many years. Excellent stuff, just excellent 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.