Verizon Vendor Vulnerability
After all the hassle Verizon must have experienced over the course of their purchase of Yahoo—considering the massive breaches the latter confronted—this was surely not something the company wanted to add to its next newsletter. Unfortunately, the telecommunications giant has just confirmed a data breach of its own. Not quite on the scale of Yahoo’s billion compromised records, it is nonetheless serious news for as many as 14 million Verizon users.
Once again, here we have an incident where one company’s secure systems were compromised indirectly by a third party vendor. The vendor in this case, NICE Systems, was the principal owner of the publicly accessible Amazon Web Services S3 database that contained the Verizon customer information. This proved to be the source of the breach, as a misconfiguration caused the cloud storage database to go public. All it took was an employee unchecking a box. As to how the data was compiled, NICE Systems’ technology is used at Verizon call centers to log customer call data. Why? The reason is unclear, according to researchers at UpGuard, who first discovered the breach. Once alerted, it took Verizon a week to secure the data.
Exposed in the incident were names, addresses, account information, and Verizon Personal Identification Numbers (PINs). The danger in these details is that they give hackers potential access to your account. One could pose as a legitimate Verizon customer in order to get the account details. Beyond that, a hacker who has your phone number can also get into any other accounts that may use it as part of two-factor authentication.
For their part, Verizon denies there being any theft of customer data, but it’s probably in your best interest to taking precautions just in case (ZDNet offers a list of useful steps).
Amazon S3, unfortunately, also made the news earlier this year for another security incident. In February, a simple typo in the command input resulted in an outage for many websites and applications along the east coast.
User mistakes like these highlight the need for strong vigilance across all environments, whether physical, virtual or cloud. Ensure that your data is well protected, with multiple layers of security and fail safes—just one minor slip can expose that information to any who might want to profit from it.