July 14, 2017 by Canadian Underwriter
A “misconfigured cloud-based file repository” exposed the names, addresses, account details and account personal identification numbers (PINs) of as many as 14 million U.S. customers of telecommunications carrier Verizon, according to a recent blog from computer security company UpGuard.
The finding, published in the blog earlier this week, is based on an analysis of the average number of accounts exposed per day in the sample that was download by UpGuard’s cyber risk team, the company said in the blog. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.
The data repository appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back office and call centre operations. “Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning,” cyber resilience analyst Dan O’Sullivan wrote in the blog. “Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts – an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.”
This exposure is a “potent example” of the risks of third-party vendors handling sensitive data, O’Sullivan wrote. “The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling,” he said. “Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.”
In addition to logs of customer names, addresses and phone numbers, information fields indicating customer satisfaction tracking and service purchases were also included, the blog noted.
The blog concluded by noting that “NICE Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data. Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements. There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise.”