Yet another company has been caught leaving personal customer data just sitting on an openly-accessible server for anybody to obtain and abuse. According to Upguard and security researcher Chris Vickery, the data was being stored by Nice Systems, a Ra'anana, Israel-based company employed by Verizon to store and analyze the data for an "unknown purpose." The data, left unprotected on an Amazon S3 storage server by the company, included information on six million subscribers that had called Verizon support in the last six months, including customer names, phone numbers and the account pins used to access their accounts.
Vickery notes that the ability to abuse these pin numbers was particularly problematic:
"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication."
Similarly problematic was the fact that Verizon and Nice were notified of the breach on June 13th, but the data wasn't secured until June 22:
"This exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."
For its part, Verizon tried to downplay the breach to ZDNet, laying the entirety of the blame on Nice while trying to insist that most of the data had no real value:
"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," said a spokesperson. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access."...The phone giant said that the "overwhelming majority of information in the data set has no external value."
Yeah, not comforting. The timing is ironic given that Verizon was one of several ISPs that just got done lobbying Congress and the Trump administration to kill new FCC broadband privacy protections that would have taken effect back in March. Those rules (pdf) would have not only required that ISPs be transparent about what third party data vendors obtain and store customer information, but required ISPs adhere to basic private data storage and protection standards, and quickly notify subscribers when their data is exposed (impacted users in this instance do not appear to have been notified yet).
Verizon had long argued that telecom privacy protections aren't necessary because the industry could "self regulate," something quickly disproven when Verizon was busted a few years ago covertly modifying wireless user data packets to track their behavior around the internet. At one point the company insisted that privacy protections aren't necessary because "public shame," would keep the company honest -- something that's a bit difficult when customers have absolutely no idea who's collecting, reviewing, or storing (poorly) their personal information in the first place.