Verizon Security: Account Details of up to 6 Million Subscribers Exposed
The account details of up to six million Verizon subscribers were reportedly compromised.
Earlier the past week, IT security company UpGuard first reported that personal and sensitive details of millions of Verizon subscribers were exposed following a "misconfigured cloud-based file repository" — a facility that was specifically put up to allegedly record details off of Verizon subscribers' customer service calls.
The breached details include the subscribers' names, addresses, Verizon account personal identification numbers and more.
UpGuard added that the compromised facility uses the cloud-based Amazon S3 services that are under the management of NICE Systems — Verizon's third-party contractor. The report claimed that UpGuard Director of Cyber Risk Research Chris Vickery found the exposed subscriber account details as they were easily accessible and downloadable through an S3 URL.
Verizon addressed the issue and explained in a statement (via IB Times UK): "An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access."
The digital security firm estimated that the exposed customer details were from call center logs dating six months prior to the time when the breach was discovered. Unfortunately, since the exposed data was placed in a cloud-based facility, UpGrade was unable to track if other groups had already found them before they did on June 8.
According to UpGuard's report, as much as 14 million account details were exposed. However, Verizon quickly disclaimed the figure and said that the breach affected only six million individual subscribers.
Meanwhile, UpGuard also raised concern over several other aspects such as the use of third-party contractors in stashing sensitive customer details and the amount of time it took for Verizon to resolve the issue.
The security researchers argued: "Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."
The report added that it took Verizon and NICE Systems more than a week to ultimately resolve the security issue; UpGuard claimed they notified Verizon of the security issue on June 13 but it was not fully resolved until June 22.
Added to that, UpGuard recalled that NICE Systems was previously linked to reports of allegedly selling surveillance tools to governments that put people's privacy at risk.
On the other hand, Verizon also told IB Times UK: "The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area."
As for NICE Systems, a spokesperson of the IT engineering company also provided a statement to the same IB Times UK report which said: "Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that Nice divested several years ago and no longer has anything to do with our business."