dslreports logo
 story category
Private Data Of 6 Million Verizon Customers Exposed

The records of up to 6 million Verizon customers have been exposed to potential theft and abuse after they were left openly accessible on the internet. According to security analyst Chris Vickery (hat tip to ZDNet), the data was left unprotected on an Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. Nice helped Verizon store, collect and analyze customer records for every customer service engagement consumers had with the carrier.

Click for full size
But Vickery (an employee of security firm Upguard) notes that Nice collected and stored this data for an "unknown purpose," including account phone numbers and the Verizon account PIN codes used to verify customers.

"This exposure is a potent example of the risks of third-party vendors handling sensitive data," Vickery notes. "The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

"Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises," he adds.

The breach is particularly notable given that Verizon just lobbied furiously to kill FCC broadband customer privacy protections that would have taken effect in March. In addition to requiring transparency about how customer data is used and stored, it required that customers opt in to having sensitive data shared. The rules also would have created baseline standards for how this data is stored, requiring customers be notified in the case of breaches.

If you're a Verizon Wireless customer you'll perhaps notice that you've yet to hear from Verizon about this latest breach despite the fact it happened more than a month ago.

Verizon had insisted that it should be allowed to self-regulate in terms of privacy. But the new rules were proposed after Verizon had previously come under fire for covertly modifying user packets to track them around the internet without their permission.

"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," the company tells ZDNet. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access." The company also tried to tell the website that the "overwhelming majority of information in the data set has no external value."

Upguard's full analysis of Verizon's latest data breach is available here.

Updated: The original security analysis estimated the impact of the breach at 14 million subscribers. Verizon has since corrected those estimates, stating "only" 6 million subscribers had their data exposed.

Most recommended from 28 comments


Quattrohead
Premium Member
join:2005-02-09

25 recommendations

Quattrohead

Premium Member

Verizon and Yahoo, perfect match

No wonder they barely flinched at the huge yahoo leaks

Tomek
Premium Member
join:2002-01-30
Valley Stream, NY

7 recommendations

Tomek

Premium Member

European Data Protection

US is falling so behind with privacy and data protection.
Recently heard about EU soon to be enforcing data and privacy customer protections in 2018 (to give companies time to prepare).
That kind of data leak would end up with catastrophic fines, but in US, not even slap on the wrist
tmc8080
join:2004-04-24
Brooklyn, NY

6 recommendations

tmc8080

Member

Cybersecurity done by:

A bunch of Yahoos!

mikesterr
join:2008-04-18
Sanford, FL

4 recommendations

mikesterr

Member

No Breach

said by Karl Bode:

If you're a Verizon Wireless customer you'll perhaps notice that you've yet to hear from Verizon about this latest breach despite the fact it happened more than a month ago.

So this was not a Breach... Verizon confirmed No one accessed the data except for the group that uncovered the Outside Vendor's open portal. There was no loss or theft of data.

The fact is Verizon dodged a bullet on this. And with so many businesses moving away from Internal Data centers and going with Cloud solutions like amazon I believe were going to see much more of this in the future, regardless of how many security reviews occur.
existenz
join:2014-02-12

4 recommendations

existenz

Member

I wonder..

Wonder how much impact private data leaks have, causing people to leave a service. Would be interesting to see if stats are out there. Target had a high profile one a few years ago but stock value went back up afterwards (sales are down for most retailers anyway now given online sales impact). And Yahoo was a doosey but they were heading downhill before anyway.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

2 recommendations

rchandra

Premium Member

so which was it?

Was this limited to Verizon Wireless, or was this Verizon? They're not quite the same, but unfortunately people fudge that all the time. I'm a customer of the latter but not the former. It may make a difference in this case.

Unbundled
But When ? ?
Premium Member
join:2010-09-13
Irving, TX

2 recommendations

Unbundled

Premium Member

3rd Party Vendors

So much for in-house errors....

The number of breaches and issues caused by 3rd Party Vendors is staggering. But, I guess that's just how we do Business in the 21st Century...

kdwycha
join:2003-01-30
Ruskin, FL

2 recommendations

kdwycha

Member

Well Gee!

Maybe Verizon should set up a cyber security unit with Russian intellegence to secure their customer data? 😂