Telco Apologizes After Unsecured Amazon Cloud Bucket Spills Customer Data
Verizon has apologized after a contractor failed to secure a large batch of customer information, leading to data relating to 6 million customers’ accounts being exposed. But it’s unclear if Verizon – the largest wireless carrier in the United States – plans to notify affected customers.
See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime
Exposed data included names, addresses, phone numbers, account information and, in some cases, PIN codes that customers use to verify themselves to phone-based customer-service teams. The exposed data was stored in logs and information associated with customer-service calls.
“Verizon is committed to the security and privacy of our customers,” the company says in a statement. “We regret the incident and apologize to our customers.”
The data exposure was discovered by Chris Vickery, a researcher with the cyber risk team at security vendor UpGuard.
The data was contained in an unsecured Amazon Web Services Simple Storage Service (S3) “bucket,” or storage instance, Dan O’Sullivan, a cyber resilience analyst at UpGuard, writes in a blog post. Israel-based NICE Systems, one of Verizon’s partners, controlled the repository.
Verizon says in its statement that NICE was supporting “a residential and small business wireline self-service call center portal and required certain data for the project.”
UpGuard notified Verizon on June 13 about the data exposure, but the bucket wasn’t locked down until June 22. UpGuard characterized that length of time as “troubling.” Officials at NICE couldn’t immediately be reached for comment.
UpGuard says as many as 14 million customer records were exposed. Verizon, however, disputes that figure, saying Wednesday the exposure affected 6 million accounts.
Aside from Vickery’s access to the data, Verizon spokesman David Samberg says via email that “no Verizon or Verizon customer data was lost or stolen.” He failed to respond to a question as to how Verizon knows that, although it’s possible that analyzing access logs led to that conclusion.
Samberg did not comment on whether Verizon would notify people affected by the data exposure.
Configuration Error Redux
The Verizon data exposure discovery is just the latest such finding by Vickery, who continues to catalog sometimes staggering breaches, in part by using the Shodan search engine. Shodan searches for internet-connected devices. By plugging specific search terms into Shodan, researchers can discover internet-connected systems and cloud instances that are not properly secured (see
But security experts have questioned the ramification of the PINs that were leaked. This only affected affected a subset of accounts; in some customer records, the PIN was masked.
UpGuard contends that the exposure of unmasked PINs could allow fraudsters to trick Verizon into providing them with access to accounts. “Such account PINs are a crucial part of verifying callers as legitimate customers, ensuring impersonators cannot access and change Verizon account settings,” O’Sullivan writes.
But Verizon says that the PINs cannot be used to access an online account. Verizon’s Samberg didn’t immediately respond to a question about whether simply possessing a PIN, however, might be sufficient to allow a fraudster to obtain a new SIM card.
The fear is that a scammer could impersonate a customer and obtain a new SIM, essentially allowing them to then “own” the victim’s phone number. The fraudster would then receive the victim’s text messages, including two-factor authentication codes. Many online services – from banks to cloud storage providers – now require users to enter a one-time passcode, in addition to their regular login details, to better block unauthorized access to accounts.
One year ago, the U.S. National Institute of Standards and Technology advised against continuing to use such out-of-band authentication via voice or SMS. Instead, some businesses – including wireless carriers – now give users the option of obtaining a one-time code via a smartphone app. Security experts generally regard this approach as being more secure than sending one-time codes via voice or SMS.