How did the data of 14m Verizon customers end up online?

It appears securing data in the cloud, specifically Amazon Web Services’ (AWS) cloud, is difficult for some companies given the frequency in which cybersecurity researcher Chris Vickery is revealing his discoveries. The latest is Verizon.

Verizon received the call on June 13 informing them that 14m of their customers’ personal identifying information was available for perusing (about 10% of their total customer headcount) via an AWS repository maintained by Verizon’s partner, Nice Systems, an Israeli firm. According to Vickery, the identified AWS storage was secured nine days later, on June 22.

What was compromised?

Nice Systems created a six-month data store of customer service calls and call records which included customers’ name, mobile number, account PIN, home address, email address and their current Verizon account balance. In addition, the Nice Systems analytics associated a subjective customer “frustration level” within each record. Nice Systems (as a partner/third-party vendor) would have had natural access to this information, given their software was being used to provide back-office support to Verizon.

Verizon told CNBC that there was no loss of customer data, the number of subscribers affected was “overstated” and the PINs identified were not associated with accounts. The company added:

We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

How did it happen?

Vickery’s report and associated media follow-up highlight that the dataset might have been the work of a single engineer. We are left to speculate if this is an instance of shadow IT or an individual engineer’s science project to enhance the deliverable to Nice System’s clients.

Event amnesia within the telco industry exists: who can forget the 15m T-Mobile customers who had their data exposed by a third-party vendor, Experian, in 2015? How about the AT&T breach of 2014 perpetrated by an insider? These are the canaries within the coal mines.

Whoever created the dataset clearly had not availed themselves to mountain of information from AWS on securing the cloud, nor did they take advantage of  the many AWS security partners who devote themselves to securing such datasets, day in and day out.

What now?

If you are a Verizon customer, change your PIN associated with your account – why take a chance?

If you are a Nice Systems client, you might want to have a chat with your account rep and delve into how your data is being handled (or mishandled).