Misconfigured Amazon Storage Exposes 14 Million Verizon Customer Records
The exposure of an estimated 14 million Verizon customer records in an unsecured Amazon Web Services (AWS) S3 storage bucket is calling new attention to the seemingly growing trend of cyber breaches resulting from misconfiguration of public cloud services.
Cyber Risk research firm UpGuard today announced it discovered the highly sensitive customer data – including names, phone numbers, addresses, account balances and even account personal identification numbers (PIN) – largely unprotected during a search for data exposures last month, as part of its mission.
UpGuard notified Verizon of the discovery on June 13th, but said the breach ultimately wasn’t closed until June 22.
“On June 8th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered a cloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access,” the company wrote in a blog post announcing the breach. “The database and its many terabytes of contents could thus be accessed simply by entering the S3 URL.”
Particularly concerning is the exposure of the PIN numbers.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts – an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication,” UpGuard wrote.
With access to cell phone accounts, criminals can access to a host of other mobile personal accounts, from social media to financial applications.
A Verizon spokesperson told ZDNet that the company was investigating what parties might have had access to the storage but that the probe determined no data was actually stolen.
However, Verizon was unable to say how it came to that conclusion, given UpGuard researchers were able to locate and review the unprotected information.
Updated (July 13): Verizon Says Only 6 Million Customers Exposed in Breach.
“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” the unnamed spokesperson is reported as saying. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”
The S3 storage was operated by NICE Systems, which provides customer-tracking technology to help Verizon and scores of other large global enterprises to improve help desk and other service delivery.
Configuration of the public cloud resources was the responsibility of an engineer at NICE System’s headquarters in Ra’anana, Israel, according to UpGuard researchers.
NICE told ZDNet that it’s also investigating.
In the meantime, cloud security experts said the circumstances in the latest Verizon breach are eerily similar to a host of other recent miscues involving public cloud technologies.
“In just the past couple of months we’ve seen first-hand examples of Verizon, the WWE (World Wrestling Entertainment), the U.S. voter records leak and Scottrade expose sensitive information through mismanaged AWS S3 servers,” said Zohar Alon, founder and CEO of Dome9, which provides public cloud infrastructure security. “It has become abundantly clear that many users still do not fully understand how to configure S3 buckets to prevent data exposure.”
“Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous,” he continued. “A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization’s reputation at risk.”
These types of breaches are clearly preventable, said Rich Campagna, CEO at cloud security vendor Bitglass.
“This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest,” he said. “Companies like Verizon must put policies in place that require third-party vendors like NICE to adequately protect any customer data that touches the cloud.”
Send tips and news to MSPmentorNews@Penton.com.