A Nice Systems employee accidentally exposed online the names, phone numbers and PIN codes for as many as 14 million Verizon customers for an unknown amount of time in June.
Nice Systems is a Verizon partner that facilitates customer service calls. The leak was spurred by an Amazon S3 server that was set to “public.” Chris Vickery, of Upguard, reported the leak after he found a database of Verizon customers on a Nice Systems cloud server account. Vickery discovered the breach on June 8; the data was secured by June 22.
Although Amazon S3 servers do not show up on Google, they are easy to track and browse. The exposure of customer PIN codes is concerning. Several hackers use PINs to circumnavigate two-factor authentication, a method for securing customer bank accounts from intruders.
Verizon told its customers the leak didn’t result in a “loss or theft of Verizon or Verizon customer information.” The telecom company emphasized Vickery was the only person to access the account without authorization. They also said the PINs available during the leak were not linked to customer accounts. Rather, the numbers were used to validate customer accounts at data centers.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information,” said the telecommunications company.
Nevertheless, security experts are advising customers to change their passwords, and monitor bank and credit accounts. “The fact that no data may have been downloaded doesn’t minimize the risk of instances such as this,” said John Gunn, chief marketing office for VASCO Data Security. It is not sure if the user database concerned Verizon wireless, landline or business customers, or all of the above.
Vickery revealed last month he discovered information concerning almost every registered U.S. voter on a defenseless online database managed by a political analytics firm. In 2016, he discovered information concerning almost 2,000 children in a server managed by a parental-monitoring software firm.
Public Knowledge, a nonprofit public interest group based in Washington D.C., called on the Federal Communications Commission to investigate.
“Telecommunications companies have a duty to protect the personal information of their subscribers. This includes ensuring that their employees, contractors, and business partners take appropriate security measures when they handle sensitive customer data,” said Yosef Getachew, policy fellow at Public Knowledge, in a statement.
