Breach, Data Security, Vulnerability Management

Verizon data found on open AWS S3 server

Security researchers have found another publicly accessible Amazon S3 server that in this case hosted about 100MB of Verizon Wireless data that was allegedly operated by a Verizon employee.

The open server, which was not owned by Verizon, was discovered by Kromtech Security researchers, who said the data contained internal Verizon corporate information connected to an internal system called Distributed Vision Services (DVS), but no customer data was involved. Kromtech described DVS as “the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.”

“Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st. Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon,” wrote Bob Diachenko, Kromtech's chief security communications officer.

Some of the content accessible on the server was labeled “VZ Confidential” and “Verizon Confidential,” some of which contained internal communications, usernames. and passwords that could be used to access other parts of Verizon's network, Kromtech wrote.

This is the second time this year that Verizon data has been left unprotected on an Amazon server. In July, 14 million Verizon customer records were exposed on a misconfigured server being operated by a third-party vendor.

SC Media has contacted for Verizon for comment on this story.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.