14 Million Verizon Customers’ Records Leaked due to Security Lapse

The personal details of some 14 million Verizon customers were left exposed on a cloud-based online server without adequate password protection, researchers have learned.

A researcher from cybersecurity firm UpGuard has discovered a cloud-based database with terabytes of internal files without any adequate protection. The data was open, left to be downloaded by anyone who accessed the easily-guessed web address.

The unprotected Amazon S3 storage server was maintained by a third-party vendor called Nice Systems, an Israel-based big data analytics company that has previously been accused of selling surveillance tools to governments.

UpGuard researcher Chris Vickery privately told Verizon of the data leak after discovering it in late-June. It was over a week before the data was secured.

The customer records were embedded in log files generated when Verizon customers used the telecom giant’s customer service in the last six months. Each record includes a customer’s name, a cell phone number and their account PIN, ZDNet cited an anonymous Verizon call center representative as saying. Verizon has over 108 million post-paid wireless customers.

From January through June, six folders from each month contained several daily log files, recording customer calls from various US regions based on the location of the company’s datacenters. Each record also included hundreds of fields of additional data such as a customer’s home and email addresses, current account balances and more.

“In short, NICE Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data. Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements,” wrote UpGuard in a blog. “There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise.”

Image credit: Flickr.