Verizon’s partner Nice Systems suffered a data breach that exposed the records of 6 million customers. The data was accessed through an unprotected Amazon S3 storage server, leaving records compromised by customer service calls facilitator. Verizon claims that despite the data breach no loss or theft of customer information occurred.
The records in question are logs from residential customers who had called Verizon customer service within the past 6 months. The cause of the breach was a misconfigured security setting on the server that would enable anyone who knew the website address to access and download the files. This is exactly what happened as an employee of Nice Systems accessed the unprotected Amazon S3 storage server. Thankfully, Verizon reports that no external party had access to the data, minimizing the potential damage scope to the single employee that will bear the burdens of their responsibilities.
Each record included the customer’s name, mobile number, and significantly, the customer’s account PIN, along with their home address, email address, and their Verizon account balance. While some records were partially redacted to protect the security and privacy of customers, most were not. This means that anyone with access to the records could have impersonated a subscriber and been granted access to their account, or have sold the information to third parties that could find a use for the data provided.
Verizon and Nice Systems have reported an investigation into the security breach, commenting that the data was part of a “demo system,” but refusing further elaboration. Due to the undisclosed nature of the context regarding the statement, it is uncertain as to whether this is fact, presupposing that the breach did not have as large an impact as it could have, or simply damage control. The breach was first discovered by Chris Vickery, a research working for cybersecurity firm UpGuard, who noticed the breach on June 13th. After privately informing Verizon, an investigation was conducted and the data was finally secured on June 22nd, nine days after the breach was initially reported.
This is not the first case of a data breach with a major mobile carrier, and this is not the first security breach for Verizon. In 2015, data broker Experian experienced a major breach that resulted in the exposure of similar information for 15 million T-Mobile customers. And in 2016, Verizon’s enterprise unit had data stolen by hackers, resulting in the exposure of information regarding IT services to companies that are put up for sale online.
Verizon and all mobile carriers need to a great deal more investing into cybersecurity to ensure that their customer’s data is protected. Regardless of whether the data is stored on a third party site managed by a partner, the ones responsible for the damage caused by the data breach is Verizon themselves. Customers place their faith in Verizon to ensure that their privacy is maintained and considering that this is not the first time Verizon has suffered a data breach, it is certain that Verizon’s reputation has taken a hit.
Regardless of the severity of the consequences from a data breach, the trust that customers place in Verizon is minimal at best. Looking on the lighter side, that this server was a demo suggests that the impact will be reduced, but even then it shows customers of the efforts Verizon goes through to fulfill their corporate social contract to the customer. Needless to say, these cybersecurity methods need serious updating and securing if Nice Systems ever wants to be partnered with a mobile carrier again. Only time will tell as to whether Verizon and Nice Systems compensate the customers for the data breach, beginning with whether more customers will have important private information redacted to minimize potential damages in case of another data breach.
Featured Image via Flickr/Mike Mozart