A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed on a misconfigured server.
UpGuard Director of Cyber Risk Research Chris Vickery on June 28, spotted exposed names, addresses, account details, account personal identification numbers (PINs) and information fields indicating customer satisfaction tracking for as many as 14 million US customers.
The data was contained on a misconfigured Amazon S3 data repository owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon, according to a July 12 blog post.
If an attacker were to access the information it would allow them to pose as customers in calls to Verizon and gain access to a user's account. Researchers described this scenario as “an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.”
In addition, researchers described the prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible and said the weakest point in two factor authentication is the wireless carriers.
The data repository appears to have been created to log customer call data for unknown purposes and was fully downloadable and configured to allow public access. All one would need to access the data was the S3 bucket's URL.
Verizon told SC Media they were able to confirm there was no loss or theft of the information.
“An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access,” a spokesperson said. “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention.”
Despite Verizon's claims researchers criticized the insecure practice highlighting the frequency of information left exposed on Amazon S3. The WWE, U.S. voter records leak and Scottrade also exposed sensitive information through mismanaged AWS S3 servers Dome9, co-founder and CEO Zohar Alon said.
“Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous,” Alon said. “A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization's reputation at risk.”
He added that these examples put an exclamation point on the one-strike law for security in the public cloud and how a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked.
Experts agree, Bitglass CEO Rich Campagna said companies like Verizon need to put policies in place that require third-party vendors like Nice to adequately protect any customer data that touches the cloud.
“This breach once again demonstrates the fact that cloud services like AWS can be secure, but it is up to organizations using them to ensure that services are configured in a secure fashion,” Campagna said.
“This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest.”