UpGuard researcher Chris Vickery recently found as many as 14 million Verizon customers' names, addresses, account details and account PINs in a misconfigured and publicly accessible Amazon S3 bucket.
Vickery notified Verizon of the data exposure on June 13, but the data wasn't protected until June 22.
"Beyond the sensitive details of customer names, addresses and phone numbers -- all of use to scammers and direct marketers -- the prospect of such information being used in combination with internal Verizon account PINs to take over customer accounts is hardly implausible," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog post examining the breach.
Crucially, the cloud server in question wasn't being managed by Verizon -- it was owned and operated by third-party vendor NICE Systems, which was using the database to log customer call data.
Some files on the server also held internal data from NICE customer Orange S.A.
"Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises," O'Sullivan noted.
In response, Verizon said in a statement that "to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts."
Verizon also said UpGuard's claims are incorrect regarding the number of customer accounts exposed. "The actual number is approximately 6 million unique customers," the company said.
Most importantly, the company said, "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."
Verizon is right to be concerned about its customers' reaction to the breach. Last fall, an AlertSec survey found that 97 percent of U.S. residents said data breaches unsettle them and result in negative brand perception.
"Customers who are affected by data breaches suffer a significant loss of trust," AlertSec CEO Ebba Blitz told eSecurity Planet by email. "According to our study, nearly one in three Americans said it would take them several months to begin trusting a company like Verizon again following a data breach."
Virsec vice president of marketing Willy Leichter said by email that the breach should result in some heated high-level discussions at both NICE and Verizon. "If the European General Data Protection Regulation (GDPR) was in effect (it is starting in May 2018), there could be a fine as large as $5 billion (4 percent of annual revenue) for this single incident," he said.
Ensuring Cloud Security
To prevent issues like these, key best practices for cloud security including encrypting data both in motion and at rest, ensuring all compliance requirements are met, and conducting audits and penetration testing on a regular basis.
Ryan Wilk, vice president for customer satisfaction at NuData Security, noted that this is the fourth exposure of sensitive data on an unsecured server in less than a month. "It doesn't take sophisticated hacking skills to access an unsecured server -- fraudsters just need to know where to look," he said. "Companies that handle personal data need to up their game, not only by being vigilant about server security but also by incorporating the latest technologies to protect their consumer accounts."
Bitglass CEO Rich Campagna said by email that the Verizon breach should server as a reminder that cloud services can be secure, but it's up to the organizations using them to ensure that they're configured securely. "This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest," he said.
"Companies like Verizon must put policies in place that require third-party vendors like NICE to adequately protect any customer data that touches the cloud," Campagna added.