Accessed through an unprotected Amazon S3 storage server
Millions of Verizon customers have had their records exposed, ZDNet reported earlier today. Verizon confirmed that 6 million records were compromised by Nice Systems, a Verizon partner that facilitates customer service calls. The records, which held logs from residential customers who had called Verizon customer service in the past six months, were accessed via an unprotected Amazon S3 storage server controlled by an employee of Nice Systems.
CNN reports that the cause was a misconfigured security setting on the server. As a result, anyone who knew the web address could download the files. But Verizon says no other external party had access to the data, telling CNN that no loss or theft of customer information occurred.
Each record included the customer’s name, mobile number, and account PIN, along with their home address, email address, phone model (Iphone, Oppo, Samsung and etc.) and their Verizon account balance. While some records were partially redacted, most were not. Anyone with access to the records could have theoretically impersonated a subscriber and been granted access to their account.
Verizon and Nice Systems have said they are investigating the breach. Nice also commented that the data was “part of a demo system,” but refused to elaborate. Chris Vickery, a researcher with cybersecurity firm UpGuard, first noticed the breach on June 13th and privately informed Verizon. The data was finally secured on June 22nd, nine days later.
This is certainly not the first time a mobile carrier has suffered a data breach. In 2015, a breach at data broker Experian resulted in the exposure of similar information for 15 million T-Mobile customers. In 2016, hackers stole data from Verizon’s enterprise unit, which provides IT services to companies, and put it up for sale online.