Another day, another security breach: researchers at UpGuard have revealed that Verizon suffered a fairly massive data leak, exposing personal information on millions of customers. In this case, it wasn’t Verizon itself that is responsible for the leak, but rather a third-party company partnered with Verizon. This breach also has a few things in common with the RNC leak that we learned about late last month.
In the RNC leak, UpGuard found an online repository of voter information left unsecured on Amazon Web Services’ servers. The same is true for this Verizon leak: Chris Vickery, the same analyst who discovered that unsecured voter information, found Verizon customer data stored in an AWS S3 bucket, once again publicly available. This, as you may have already guessed, means that anyone with the URL could have downloaded this data, which is becoming a worrying trend.
The data was posted to that repository by Verizon partner NICE Systems. What was leaked through this unsecured S3 bucket seems to include logs of calls placed to Verizon customer service between January of this year and June 22. This repository contained a lot of information on customers, including name, phone number, and general data on the calls they made to customer service.
In a lot of cases, the PIN numbers Verizon uses to secure accounts were masked, but a “smaller number” of them were not. This is concerning because all a more unsavory person would need to access your account is the name of the account holder, the primary phone number, and the PIN. If they have those, they can change devices associated with the phone numbers of the account, thereby hijacking those phone numbers, or make fraudulent purchases through customer service.
Another thing that’s worrying about this data exposure is that NICE Systems has been known to with “governments engaging in surveillance of their citizens.” It’s concerning enough that this Verizon customer data was left exposed online, but when you consider how much information could be collected by government agencies, carelessness like this becomes truly scary.
Verizon and NICE have made moves to secure this data, though Vickery points out that it took them nine days to do so after UpGuard alerted them of the leak. UpGuard initially estimated that the data of 14 million customers had been exposed, but Verizon has since said that the number is closer to 6 million. Though UpGuard says that the nature of this AWS repository means that it’s impossible to tell how many times the data had been accessed, Verizon and NICE say that no data was stolen.
Still, if you’re a Verizon customer, it’s probably a good idea to change your PIN number as soon as you can. While you’re at it, you might consider asking a Verizon representative when the company plans to move beyond PIN numbers and security questions to adopt stronger security measures. Hopefully nothing bad comes from this data exposure, but it sure would be nice if we could stop worrying these things after a leak or breach has already taken place.