When data is shared with a third-party vendor, keeping it secure can become a colossal effort. It’s not easy for businesses to protect customer data these days, particularly when they share it with their business or technology partners. Yes, we are talking about another data breach headline which affected millions of customer accounts at Verizon.
Verizon is a leading American telecommunications company; a wholly owned subsidiary of Verizon Communications which offers wireless products and services. A global communications and technology leader known for its 4g and 5g wireless networks, broadband and fiber optics, video and advertising platforms, internet of things.
UpGuard’s Cyber Risk Team reported a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million U.S. customers of Verizon.
The cloud server was owned and operated by the telephonic software and data firm NICE Systems, a third-party vendor for Verizon, mistakenly left sensitive user details open on an unprotected Amazon S3 (simple storage service) cloud server. The exposed data was fully downloadable and configured to allow public access simply by entering the S3 URL.
NICE Systems is an Israel-based company that is known for offering wide-range of solutions for intelligence agencies, including telephone voice recording, data security, and surveillance. Verizon uses NICE Systems technology in its back-office and call center operations.
The exposed data contained records of customers who called Verizon’s customer services in the past six months, which are recorded, obtained and analyzed by NICE Systems.
The repository data contains six folders titled “Jan-2017” through “June-2017,” as well as many files formatted with .zip, among them “VoiceSessionFiltered.zip” and “WebMobileContainment.zip.” These files, inaccessible via .zip extraction, but can be easily decompressed once the format was changed to .gzip, another file compression program.
Each month-named folder contains directories corresponding to each day of the month. Each day’s folder contains dozens of compressed files which contains a repository for the automated daily logging of files. The folder for “June-2017” records a halt to logging on June 22nd.
Once you unzipped this folder, the contents of these daily logging folders are revealed to be sizable text files, some as large as 23 GB. Many Verizon account details are also included in the logs, such as customer names, addresses, phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked and protected.
But not all the records details are marked as “masked.” For few call logs, there is no such masking at all and revealing details as unmasked “PIN” codes. Such account PINs are a crucial part of verifying callers as legitimate customers, which can lead an impersonator to access and change Verizon customers’ account settings.
Verizon and Nice Systems have said they are investigating the breach. Verizon released a press statement clarifying that “the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”