Known for its highly respected Data Breach Investigations Report, Verizon Enterprise Solutions has suffered its own data breach, after a cybercriminal was discovered selling information linked to 1.5 million of its customers.
Cybersecurity expert Brian Krebs uncovered the plot and posted details yesterday on his blog, reporting that a black-market online forum was advertising the sale of a database containing contact information belonging to Verizon Enterprise customers. The complete database was priced at $100,000, but interested buyers could instead buy portions of the list for $10,000 per segment. The seller also was offering information on security vulnerabilities found on Verizon's web site.
According to Krebs, Verizon was already aware of the incident when he alerted them. This development is obviously embarrassing for the New York-based telecommunications company, whose Verizon Enterprise division offers a spectrum of B2B enterprise solutions, including cybersecurity products intended to prevent and detect incidents such as data breaches.
Verizon shared the following statement with media: “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
The company has not yet revealed exactly how the malicious hacker was able to access its systems, but that hasn't stopped experts from making an educated guess.
The attackers “apparently offered to sell information about vulnerabilities within the website. This initially leads me to believe that the most likely cause of the break-in was probably a SQL injection vulnerability,” said Deral Heiland, global services research lead at security and analytics firm Rapid7, in an email sent to SCMagazine.com. “If [database platform] MongoDB was being used, this is known as a NoSQL database and traditional SQL injection attacks will not work, although NoSQL databases are still subject to injection attacks, which can be leveraged to extract data from the MongoDB.”
Indeed, Krebs noted in his blog that the underground online forum offers the Verizon database in multiple formats, including MongoDB. “So it seems likely that the attackers somehow forced the MongoDB system to dump its contents,” the blog reads.
While the perpetrator may not have been able to pilfer Verizon Enterprise's most sensitive customer information, clients are not necessary out of the woods. As Krebs himself noted, many of Verizon's clients are Fortune 500 companies, so even basic contact information might be enough to tempt cybercriminals to launch phishing attacks against employees at these organizations.
“As Verizon Enterprise is typically the one notifying the public how breaches take place, and the top security experts frequently recommend Verizon's annual Data Breach Investigations Report, it's extremely ironic, and unfortunately another sign of our times... that Verizon had a security vulnerability on their enterprise client portal,” noted Adam Levin, chairman and founder of identity protection firm IDT911, in a statement emailed to SCMagazine.com. “Customers who have been exposed are now prime targets for targeted phishing attacks. They must be careful not to click on suspicious links or authenticate themselves to anyone who contacts them, lest they become unwitting co-conspirators in the theft of their own identities.”
Moreover, Todd Feinman, former PwC ethical hacker and current CEO of data classification company Identity Finder, said online scammers can often parse together data stolen from various sources until they have enough information to do significant damage.
“We'll see more and more of these sensitive data breaches being correlated together so that sensitive contact information can be combined with sensitive password dumps and other data to wreak havoc on other businesses and individuals,” said Feinman in a statement emailed to SCMagazine.com “The lesson learned for other enterprises is to segregate their sensitive data and minimize the total volume so that when a security vulnerability allows a hacker to get through, the damage is minimal.”