Telco Apologizes After Unsecured Amazon Cloud Bucket Spills Customer Data Photo: Mike Mozart (via Flickr/CC)
Verizon has apologized after a contractor failed to secure a large batch of customer information, leading to data relating to 6 million customers’ accounts being exposed. But it’s unclear if Verizon – the largest wireless carrier in the United States – plans to notify affected customers.
Exposed data included names, addresses, phone numbers, account information and, in some cases, PIN codes that customers use to verify themselves to phone-based customer-service teams. The exposed data was stored in logs and information associated with customer-service calls.
“Verizon is committed to the security and privacy of our customers,” the company says in a statement. “We regret the incident and apologize to our customers.”
The data exposure was discovered by Chris Vickery, a researcher with the cyber risk team at security vendor UpGuard.
The data was contained in an unsecured Amazon Web Services Simple Storage Service (S3) “bucket,” or storage instance, Dan O’Sullivan, a cyber resilience analyst at UpGuard, writes in a blog post. Israel-based NICE Systems, one of Verizon’s partners, controlled the repository.
Verizon says in its statement that NICE was supporting “a residential and small business wireline self-service call center portal and required certain data for the project.”
UpGuard notified Verizon on June 13 about the data exposure, but the bucket wasn’t locked down until June 22. UpGuard characterized that length of time as “troubling.” Officials at NICE couldn’t immediately be reached for comment.
UpGuard says as many as 14 million customer records were exposed. Verizon, however, disputes that figure, saying Wednesday the exposure affected 6 million accounts.
Aside from Vickery’s access to the data, Verizon spokesman David Samberg says via email that “no Verizon or Verizon customer data was lost or stolen.” He failed to respond to a question as to how Verizon knows that, although it’s possible that analyzing access logs led to that conclusion.
Samberg did not comment on whether Verizon would notify people affected by the data exposure.
Configuration Error Redux
The Verizon data exposure discovery is just the latest such finding by Vickery, who continues to catalog sometimes staggering breaches, in part by using the Shodan search engine. Shodan searches for internet-connected devices. By plugging specific search terms into Shodan, researchers can discover internet-connected systems and cloud instances that are not properly secured (see 198 Million US Voter Records Left Online For Two Weeks).
As with previous episodes of unintentionally exposed data discovered by Vickery, it appears that NICE made a configuration error with the S3 bucket and left the data accessible via the internet. “The database and its many terabytes of contents could thus be accessed by simply entering the S3 URL,” UpGuard’s O’Sullivan writes, and that data could also be downloaded.
By default, Amazon does not enable public access to S3 storage buckets. Amazon also offers identity and access management controls that can be used to carefully restrict who can access buckets or alter data. Buckets can also be made off-limits based on HTTP referrers and IP addresses.
That suggests that someone at NICE might have disabled those security defaults.
Suspected Orange Data Exposure
O’Sullivan says that the information exposed in the S3 bucket also appeared to include data belonging to the French telecommunications giant Orange, which also works with NICE.
“While it appears this internal Orange data is less sensitive, it is noteworthy to see such information included in a repository otherwise devoted to Verizon,” he writes. Indeed, Verizon’s enterprise division competes with Orange in the European marketplace.
The incident underscores again that organizations must ensure their services are securely configured, says Rich Campagna, CEO of Bitglass, which focuses on cloud and mobile security. It also highlights the difficulties in verifying good security practices by contractors or other suppliers.
“Companies like Verizon must put policies in place that require third-party vendors like NICE to adequately protect any customer data that touches the cloud,” Campagna says.
Verizon, however, has sought to downplay the data exposure.
“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area,” the company says in a statement.
But security experts have questioned the ramification of the PINs that were leaked. This only affected affected a subset of accounts; in some customer records, the PIN was masked.
UpGuard contends that the exposure of unmasked PINs could allow fraudsters to trick Verizon into providing them with access to accounts. “Such account PINs are a crucial part of verifying callers as legitimate customers, ensuring impersonators cannot access and change Verizon account settings,” O’Sullivan writes.
But Verizon says that the PINs cannot be used to access an online account. Verizon’s Samberg didn’t immediately respond to a question about whether simply possessing a PIN, however, might be sufficient to allow a fraudster to obtain a new SIM card.
The fear is that a scammer could impersonate a customer and obtain a new SIM, essentially allowing them to then “own” the victim’s phone number. The fraudster would then receive the victim’s text messages, including two-factor authentication codes. Many online services – from banks to cloud storage providers – now require users to enter a one-time passcode, in addition to their regular login details, to better block unauthorized access to accounts.
One year ago, the U.S. National Institute of Standards and Technology advised against continuing to use such out-of-band authentication via voice or SMS. Instead, some businesses – including wireless carriers – now give users the option of obtaining a one-time code via a smartphone app. Security experts generally regard this approach as being more secure than sending one-time codes via voice or SMS.