Maksim Kabakou - Fotolia
Verizon Enterprise Solutions suffered a recent data breach, where a database of 1.5 million customer records was stolen and put up for sale on the Dark Web last week, according to Krebs on Security.
The records were offered for sale on a "closely guarded, underground cybercrime forum," security journalist Brian Krebs wrote. Verizon Enterprise Solutions said the breach affected business customers only, and "no data about consumer customers was involved" in the breach.
"Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal," according to the company's statement. "Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information or other data was accessed or accessible. The impacted customers are currently being notified."
Verizon Enterprise Solutions did not respond to a request for confirmation of the number of customers affected, or for more information about vulnerabilities exploited in the successful attack. Verizon Enterprise Solutions, a division of Verizon Communications, based in Basking Ridge, N.J., is itself a provider of enterprise security services, as well as other IT services and products, including its annual Data Breach Investigations Report, which reports on "threats, vulnerabilities and actions that lead to security incidents, as well as how they impact organizations suffering them."
Breached database records offered for sale
The breach came to light because customer records stolen in the breach were being offered for sale. "I was contacted by a member of the forum who showed me where to find the advertisement" of 1.5 million Verizon Enterprise customer contacts for sale, Krebs told SearchSecurity. The asking price was $100,000 for all 1.5 million contacts, or $10,000 each for blocks of 100,000. Details of Verizon Enterprise Solutions' website vulnerabilities were also offered.
With an asking price for contact records no more than $0.10 each, the individual records are of relatively low value to attackers. "It appears that not too much damage was done here -- current reports are noting that only customer names and contact information was accessed," said Vann Abernethy, field CTO at NSFOCUS IB, based in Santa Clara, Calif. "While this specific kind of list has some value, it's not as if critical information -- credit cards, passwords, etc. -- was leaked."
However, the stolen records could be used for targeted phishing attacks against Verizon Enterprise Solutions' customers. "There are a few things that could be done," Abernethy said, "most notably, using the information in social engineering attacks -- e.g., posing as a Verizon employee. But since this breach is now public, the chances of this being successful are lower."
The breach's full impact for customers may not be known immediately. "Allowing an attack to result in 1.5 million customers' sensitive information to be stolen will be more damaging to their customers in the weeks, months and years to come than the reputational damage to Verizon Enterprise today," said Todd Feinman, CEO of data loss prevention firm Identity Finder LLC, based in New York.
Verizon Enterprise Solutions is the second security firm to fall victim to attack so far this month, and experts pointed out that security firms falling prey to attacks can cause serious fallout. Earlier this month, The Register reported that anti-DDoS firm Staminus had suffered from a 20-hour distributed denial-of-service attack, during which time the Newport Beach, Calif., firm's systems were breached, exposing data that included customer usernames and hashed passwords, contact information and credit card payment information.
"We'll see more and more of these sensitive data breaches being correlated together, so that sensitive contact information can be combined with sensitive password dumps and other data to wreak havoc on other businesses and individuals," Feinman said. "The lesson learned for other enterprises is to segregate their sensitive data and minimize the total volume, so that when a security vulnerability allows a hacker to get through, the damage is minimal."
"The main take away from this is that if you are a security company, you must make sure you're fully patched and protected," Abernethy said, pointing to the Staminus attack as "a worst-case scenario -- attackers allegedly gained access to the company's routers and reset them to factory settings. Also, Staminus was storing customer credit card data in the clear."
"There has been a huge rise in large-scale breaches. What those and this most recent incident drive home is that security has to be top of mind for any business these days, large or small," said Eric Chiu, president of Mountain View, Calif., cloud security firm HyTrust Inc.
Breach fallout yet to come
One key question that is not yet answered is whether or not there will be further disclosures of a greater-magnitude attack in this case. Many of the biggest breaches of recent years -- including the OPM breach, the Home Depot breach and the Target breach -- were initially reported to be smaller in scale than they ultimately turned out.
Experts agreed that scenario was unlikely in this case. Verizon Enterprise Solutions "has some very talented security/breach investigators," Krebs said. "If they say the breach was limited to contact data, then I'm sure it was."
"There is no reason to believe this is more than what it is -- a minor breach that was quickly fixed," Abernethy said. "This is more of a public relations hit than anything -- and Verizon did the right thing by announcing it when they did."
"Verizon can educate customers about the potential for social engineering calls/emails purporting to be from Verizon, and instruct them not to give out any information to an unsolicited caller or via email," Abernethy said. "Customers should contact Verizon directly if they are at all uncertain."
Find out more about how breaches can remain hidden when attackers use stolen credentials.
Learn more about how user awareness and training can help prevent phishing attacks.