Verizon, the largest wireless phone company in the U.S., last week confirmed that data belonging to about six million of its wireless customers was exposed after the information mistakenly was allowed to remain unprotected on an Amazon cloud server.
The disclosure follows reports that an engineer at Nice Systems, which provides workforce management technology to track call center performance, allowed the data of 14 million Verizon customers to reside on an Amazon Web Services S3 bucket.
The Verizon data was part of a larger data exposure, according to UpGuard, the firm that discovered the problem.
Data from Orange, a Paris-based telecom, was exposed as well, it said.
Of greatest concern were the Verizon personal identification numbers that were left exposed, along with customers’ names, addresses and account information, said Chris Vickery, director of cyber risk research at UpGuard.
“With that detail, a fraudster could have master access to a Verizon customer’s account control,” he told the E-Commerce Times. “It would be theoretically possible to order new hardware or issue a new SIM card for a phone.”
Getting a new SIM card would allow a fraudulent actor to overcome two-factor authentication requirements, Vickery said.
Upguard disclosed the information to Verizon on June 13 and the breach was closed on June 22.
Nice Systems technology is used around the world for government surveillance, according to UpGuard.
Nice officials confirmed the Verizon exposure, but denied the error was indicative of any larger problem within the company. The company did not comment on the reported Orange data exposure.
“A human error that is not related to any of our products or our production environments, nor their level of security, but rather to an isolated staging area with limited information on a specific project, allowed a customer’s data to be made public for a limited period of time,” Nice said in a statement provided to the E-Commerce Times by spokesperson Ilana Hart.
Data belonging to six million customers was exposed, Verizon confirmed.
The company is committed to customer security and privacy, it said, and it apologized for the incident.
The number of exposed accounts reported in the original media report was “overstated,” Verizon said.
A vendor’s employee put the data onto a cloud storage area and “incorrectly set the storage to allow external access,” Verizon explained, emphasizing that there was no loss or theft of Verizon customers’ information.
The only party — besides the vendor and Verizon — to gain access to the customers’ information was the researcher who discovered the exposure, Verizon said.
It was Chris Vickery, director of cyber risk research at UpGuard, who discovered the exposed data, an UpGuard spokesperson confirmed to the E-Commerce Times.
The back story to the incident is that the vendor was supporting an approved initiative to help Verizon improve a residential and small business wireline self-service call center portal and required certain data for the project, Verizon explained.
The “overwhelming majority” of the exposed data had no external value, the company said, but it confirmed that it included a “limited amount of personal information.”
The data supported a wireline portal, Verizon said, and it included a “limited number” of cellphone numbers for customer contact purposes.
To the extent that PINs were included in the data set, they were used to authenticate a customer calling into Verizon’s wireline call center, but they did not provide online access to customer accounts, according to the company.
The Verizon data exposure is “eerily similar” to the breach of 198 million voter records at Deep Root Analytics, which also was sitting on Amazon S3 servers and was discovered by the same UpGuard researcher, noted Mark Nunnikhoven, vice president of cloud research at Trend Micro.
Although Upguard hasn’t discussed how it discovered the exposed data, it’s likely the researcher scanned the S3 namespace — a unique root folder where users store their data — looking for misconfigured buckets, Nunnikhoven told the E-Commerce Times.
Amazon should not be blamed entirely for the incident, he said, noting that the S3 buckets are secure by default.
“All AWS servers operated on a shared responsibility model for operations and security,” he said. “That means that both AWS and the user have responsibilities for securing data.”
S3 customers have to decide which data to store and who can access it, Nunnikhoven noted.
It appears that in both of the recent cases, the customers took explicit steps to configure the policies to allow unauthorized access.
“The pattern that is emerging,” Vectra Networks CTO Oliver Tavakoli told the E-Commerce Times, “is that the impact of a single, sloppy misconfiguration in the cloud is likely to have a much bigger effect than the same misconfiguration inside the company’s own data center.”