It’s not easy for businesses to protect their customers’ data these days, particularly when they share it with their partners. When that data is shared, keeping it secure can become a Herculean effort… and sometimes those efforts come up short. That’s when you find yourself reading yet another headline about an information leak that affects millions of people.
According to the “cyber resilience” experts at UpGuard, a configuration oversight allowed data on upwards of 14 million Verizon customers. A third-party analytics provider, NICE Systems, was using Amazon’s S3 cloud platform to store “customer call data” from telelcom providers including Verizon. According to a statement provided by NICE, this was “limited information for a specific project” for “a business that NICE divested several years ago and no longer has anything to do with[...]“
Regardless of its current connection to NICE, the S3 data “bucket” was unintentionally left exposed and ultimately discovered by UpGuard’s Chris Vickery. While UpGuard didn’t specify the total amount of data stored in it, some of the individual files were as large as 23GB. They were organized by month and every day of the year had its own sub-folder.
There’s something about this breach that’s more alarming than the number of files, how large those files are, or even how many people were impacted. In addition to name, address, and phone number, some of the Verizon customer data included plain text PINs. With a customer’s other details and a PIN in hand, a criminal could, according to UpGuard, pull off a SIM card swap. That’s where fraudsters trick a wireless carrier into moving a customer’s phone number to a new SIM.
Such scams have cost people thousands of dollars, and they can give an attacker access to sensitive online accounts that have been protected by two-factor authentication. If that second factor is a text message, the SIM card swap will redirect those messages to the criminal.
As a Verizon customer, you may not have had any idea that NICE — or any other company — had access to your data. Now that you do know… just imagine how many other companies you deal with are doing the exact same thing. Hopefully they haven’t made any configuration mistakes that will allow your data to leak all over again.