Verizon and Amazon data security story full of holes
Verizon is doing its best impression of Swiss cheese, as one of its partners left sensitive information on up to 14 million customers on an unsecured Amazon database for a week after being notified.
July 13, 2017
Verizon did its best impression of Swiss cheese when one of its partners left millions of customers’ sensitive information on an unsecured Amazon database for a week after being notified.
The insecure information was initially found by cybersecurity firm UpGuard, in an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters. The data itself was fully downloadable and configured to allow public access. The database and its many terabytes of contents could be accessed simply by entering the S3 URL.
The main issue, aside from huge a gargantuan security oversight, is the nature of the data. Information included customer names, addresses, and phone numbers, but also PINs. While a number of these PINs had been ‘masked’ or redacted, a huge number weren’t. This is a crucial bit of information, as hackers would now be able to pose as a customer when calling customer services and access account information.
In the depositary itself there were six main files, one for each month of the year to June, as well as various others ones, for example a couple named “VoiceSessionFiltered.zip” and “WebMobileContainment.zip.”. UpGuard notes ‘These files, inaccessible via .zip extraction, could be decompressed once the format was changed to .gzip, another file compression program’.
Each of the month-named files contained one for each day of the month, which include such information as voice recognition log files, as well as the records of an individual’s call to a customer support line. It’s a lot of information, some of which could be pretty damaging for customers, as not to mention Verizon’s image in the world.
UpGuard claims to have notified Verizon of the oversight on 13th June, though the error was not actually corrected until the 22nd, though the initial discovery was made on the 8th. UpGuard reckons up to 14 million customers may have been affected but Verizon is saying it’s more like 6 million.
“An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access,” said Verizon’s David Samberg on the company’s media blog. “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”
There is no further explanation to how the company knows that no other party has accessed the data, and it does smell a little bit fishy to us. Hackers are able to enter and leave a network with leaving any trace of their presence; it sounds like Verizon is simply stating this assumption that the data is safe, because that’s the thing to do in this situation, without providing much substance.
While Verizon seem relatively confident the PIN is only useful to people who want to impersonate when calling customers services, others are less confident of the situation.
BuzzFeed has highlighted that using the PIN, hackers would be able to call cell providers and change the SIM card on record to their own. This would be a means to navigate around the two-factor authentication model which Verizon has in place, as some accounts require a code typically provided by text message in addition to a password. This method was used to hack Black Lives Matter activist DeRay Mckesson last year.
The levels of incompetence surrounding this saga should be a wake-up call to the industry. Firstly, the abdication of responsibility from Verizon, steering the blame towards the partner, is staggering. Jobs are outsourced, accountability and responsibility are not. From a risk mitigation perspective, this is as much Verizon’s fault as it is the partner’s.
Secondly, from a security perspective, leaving the files on an unsecured data repository is unthinkable, but the fact that the data was not encrypted as well is unbelievable. Data should not only be protected from people outside the organization, but by those who do not have the right to access it inside as well.
Finally, the amount of time it took to respond to UpGaurd’s notifications is, quite frankly, laughable. Nine days demonstrates that customer centric is a non-existent term at Verizon and security is a topic which is being taken seriously.
Sometimes these incidents are a wake-up call for the company and the industry on the whole. Let’s hope so, because there is zero upside for Verizon here.
UPDATE 17/07/2017 17:28. Telecoms.com received the following statement from a NICE spokesperson
“We are aware of the published article.
“Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.
“This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.”
About the Author
You May Also Like