Verizon subscribers be warned: a security risk has left millions of customer records exposed. While Verizon says no damage has been done, you may want to change your pin. Just in case.
UpGuard, a cybersecurity firm, discovered an unsecured data storage system set up by a third-party Verizon contractor, ZDNet reported. According to UpGuard’s cyber risk team, a “misconfigured cloud-based file repository” owned by Israel-based NICE Systems made a wealth of customer data accessible to the public. NICE Systems is a telephonic software and data company that provides Verizon, the nation’s largest wireless carrier, with back-office and call center operations.
Initially, UpGuard reported that the breach involved 14 million customer profiles. But NICE Systems and Verizon have since clarified that 6 million unique credentials were in the unprotected data storage system. The collected records are from the last six months, from January to June of this calendar year.
According to ZDNet, the data compiled from customer calls is stored by NICE Systems in efforts to analyze and better customer service experiences. Verizon said the Israeli technology company does not collect Social Security numbers or Verizon voice recordings. As for the type of information it does collect, it’s details like customer names, addresses, phone numbers and account PIN codes — the latter is used to authenticate an individual’s ID. Basically, everything you need to know to pretend to be a Verizon customer via phone.
“A scammer could receive a two-factor authentication message and potentially change it or alter [the authentication] to his liking,” Dan O’Sullivan, a Cyber Resilience Analyst with UpGuard, told CNN Money. “Or they could cut off access to the real account holder.”
In this particular case, it stems back to an engineer based in the company’s Ra’anana, Israel, headquarters who reportedly set up an Amazon Web Service S3 data store to log Verizon customer call data. The cloud-based data repository was configured to allow public access, instead of a private security setting, and the terabytes of consumer data was downloadable to anyone with access to the “easy-to-guess” S3 URL.
UpGuard’s Director of Cyber Risk Research made the unsettling discovery on June 8 and informed Verizon of the security issue on June 13. The company made the necessary changes 9 days later on June 22.
“The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling,” Upguard wrote. “Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.”
Verizon confirmed the security hole on Wednesday. The company, which said an “overwhelming majority of information in the data set had no external value,” asserted that nobody malicious has had access to the information.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention,” Verizon said in a press release. “In other words, there has been no loss or theft of Verizon or Verizon customer information.”