The records of up to 6 million Verizon customers have been exposed to potential theft and abuse after they were left openly accessible on the internet. According to security analyst Chris Vickery (hat tip to ZDNet), the data was left unprotected on an Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. Nice helped Verizon store, collect and analyze customer records for every customer service engagement consumers had with the carrier.
But Vickery (an employee of security firm Upguard)
notes that Nice collected and stored this data for an "unknown purpose," including account phone numbers and the Verizon account PIN codes used to verify customers.
"This exposure is a potent example of the risks of third-party vendors handling sensitive data," Vickery notes. "The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."
"Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises," he adds.
The breach is particularly notable given that Verizon just lobbied furiously to kill FCC broadband customer privacy protections that would have taken effect in March. In addition to requiring transparency about how customer data is used and stored, it required that customers opt in to having sensitive data shared. The rules also would have created baseline standards for how this data is stored, requiring customers be notified in the case of breaches.
If you're a Verizon Wireless customer you'll perhaps notice that you've yet to hear from Verizon about this latest breach despite the fact it happened more than a month ago.
Verizon had insisted that it should be allowed to self-regulate in terms of privacy. But the new rules were proposed after Verizon had previously come under fire for covertly modifying user packets to track them around the internet without their permission.
"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," the company tells ZDNet. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access." The company also tried to tell the website that the "overwhelming majority of information in the data set has no external value."
Upguard's full analysis of Verizon's latest data breach is available here.
Updated: The original security analysis estimated the impact of the breach at 14 million subscribers. Verizon has since corrected those estimates, stating "only" 6 million subscribers had their data exposed.