alex_aldo - Fotolia
The personal data of millions of Verizon customers was exposed because of a misconfigured Amazon Web Services S3 bucket leak.
A researcher at security firm UpGuard reportedly discovered a repository containing the names, addresses, account details and account PINs of 14 million Verizon customers in the U.S. The AWS S3 bucket is owned and run by Nice Systems, a third-party vendor based in Israel that Verizon uses to handle its back-office and call center operations.
Chris Vickery, cyber risk analyst at UpGuard, which is based in Mountain View, Calif., discovered the AWS S3 bucket leak on June 8, 2017, and notified Verizon on June 13. Vickery found that the repository was "fully downloadable and configured to allow public access," meaning an attacker would only need the "simple to guess" URL of the AWS S3 bucket to be able to access "many terabytes" of Verizon customer data.
In a blog post, Vickery and UpGuard cyber resilience analyst Dan O'Sullivan noted that the breach wasn't fixed until over a week after notification on June 22, and criticized how long it took, writing, "the long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."
Vickery reported that the data of 14 million users was exposed, but a Verizon spokesperson claimed it was only 6 million customers. Regardless of how many millions of customers had their data exposed, there have been no reports of attackers actually accessing the data.
Among the personal data exposed in the AWS S3 bucket leak were customer names, addresses and phone numbers. Also included in the open repository was customer satisfaction tracking data from when Verizon customers contacted the call center for support. Along with that data, PINs that customers used to access their accounts via the call center were listed with the associated phone numbers. With the PIN and the other personal data, attackers could take over customer accounts.
"The prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible," UpGuard wrote. "To do so would enable impersonators to tell Verizon call center operators to do whatever was wished of them."
What is the significance of an exposure like this one?
"In short, Nice Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data," UpGuard said. "Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements. There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor's side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise."
In other news
- Three victims of the Russian hack on the Democratic National Committee have filed a lawsuit against President Donald Trump's campaign and campaign advisor Roger Stone this week. The plaintiffs accuse the Trump campaign and Stone of an invasion of privacy in conspiring to release the hacked information to the public. Two of the plaintiffs, Roy Cockrum and Eric Schoenberg, were donors to the DNC, and the third, Scott Comer, was the chief of staff in the finance department of the DNC. All three victims had their personal information made public when WikiLeaks published the first batch of stolen DNC emails in July 2016. The plaintiffs' case is being handled by the organization Protect Democracy, a government watchdog group made up of lawyers from the Obama administration. If a judge allows the case to proceed, there will be another independent investigation into the accusations of collusion between the Trump campaign and the Russian government.
- In a recent security audit, the U.S. Office of Personnel Management (OPM) was found to be falling short on security. The OPM suffered a major data breach in 2015 that exposed the personal information of more than 21 million current and former government employees, including 19.7 million background investigation applications and 1.8 million non-applicants. This was after another breach in 2014 that exposed an additional 4.2 million records. The OPM has been closely monitored since the breaches by the House Committee on Oversight and Government Reform and by the Office of Inspector General. A report put out by the Inspector General this week noted that it still has concerns with the OPM's security. Specifically, the Inspector General reported weakness in OPM's LAN/WAN system security plan. "The LAN/WAN system security plan (SSP) was missing relevant data about hardware, software, minor systems, and inherited controls," the report reads. "Additionally, the LAN/WAN SSP also failed to appropriately address several relevant controls, labeled as 'not applicable.'" The report also noted deficiencies in security control testing. The Inspector General also found OPM did not meet standards put forth by the National Institute of Science and Technology.
- NATO said it will provide cybersecurity help to Ukraine following the barrage of Petya-like ransomware attacks that hit the country's government. NATO Secretary-General Jens Stoltenberg said the organization is "in the process of providing Ukraine with new equipment to some key government institutions" that would help Ukraine figure out who is behind the cyberattacks. This announcement follows previous confirmation that NATO is establishing cyber as a military domain so a cyberattack on a member will trigger NATO Article 5, the section of the treaty that commits member nations to consider an attack on any one NATO member as an attack on all NATO members. The ransomware that targeted Ukraine, Petya or one of its variants, is believed to have affected 60 countries worldwide.
Learn about how the RNC's voter database was also left exposed by an AWS S3 bucket
Discover the best way to secure Amazon S3 buckets
Need a refresher? Read this AWS S3 tutorial for beginners