Names, phone numbers and other information of millions of customers of Verizon were made available on a publicly accessible storage area owned by one of the company's vendors, according an enterprise security software company that discovered the exposed data.
The data repository "was totally publicly accessible, anyone entering a URL in a browser would have been able to access it," said Dan O'Sullivan, cyber-resilience analyst with UpGuard, the Mountain View, Calif. company that found the data.
Exposed were text files logging calls made to Verizon call centers between Jan. 1, 2017 and June 22, O'Sullivan said. In most cases, the logs included the names, phone numbers and addresses of Verizon subscribers. In some cases, account pin numbers used to verify callers' identities were also exposed, O'Sullivan said.
The storage area belonged to Nice Systems, a Verizon vendor which does business related to call-center management. UpGuard informed Verizon of its findings on June 13, O'Sullivan said. A week later, access was shut off.
After the technology news website ZD Net published a story about the episode Wednesday, Verizon issued a press release apologizing to its customers.
The phone giant confirmed that its customers' information -- including their cell phone numbers and pins in some cases -- had been incorrectly placed in an insecure cloud storage area.
None of the exposed information had been lost or stolen, the company said.
Verizon spokesman David Samberg said that 6 million unique customer accounts were exposed -- a smaller number than the 14 million estimated by UpGuard. Verizon was still investigating the problem when the story broke, he said.
Verizon said a "limited amount of personal information" had been left open to external access, as well as additional information that "had no external value."
The episode prompted U.S. Rep. Ted Lieu (D-Torrance) to request a Judiciary Committee hearing, said Lieu's chief of staff Marc Cevasco.
Lieu, a Verizon customer, is concerned about possible misuse of the data. "If anyone had that information they could go online and have access to your acct, and your call log, etc.," he said.
Also, "most people use their pin for more than one thing," he said, so exposed pins might put people at risk of identity theft.
Cevasco also said that Lieu was not convinced by Verizon's assertions that they had access to reports of all the people who might have viewed the data.
"A good hacker would know how to circumvent stuff like that," he said. Sophisticated state actors, looking for, say, information on government workers, were of particular concern, he added.
Lieu's letter to Judiciary Chairman Robert Goodlatte (R-Va.) states that the data reportedly contained information on U.S. intelligence officials. He called it "the latest in a series of disturbing data breaches."
Nice Systems, headquarted in Ra'anana, Israel, released a statement that called the problem "human error" involving and "isolated staging area with limited information."
O'Sullivan said the exposure underscores the rapidly increasing risks of data breaches. "This is a really remarkable incidence of third party vendor risk," he said. "A customer knows they are giving their information to Verizon, but they are probably not aware that information is going to be shared with third party vendors."
© 2017 Los Angeles Times under contract with NewsEdge/Acquire Media. All rights reserved.
Posted: 2017-07-14 @ 5:51am PT
@jay h: Good point. Name, address, and phone number have always been freely available. Not so much though for email addresses, passwords, and credit card info.
Posted: 2017-07-14 @ 5:45am PT
Interesting. When I was younger, virtually every phone company customer's name, phone number and address was in a big book that they gave away for free....