Verizon, a major telecommunications provider, has suffered a data security breach with over 14 million US customers' personal details exposed on the Internet.
Telephonic software and data firm NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a cloud server.
On June 8th 2017, Chris Vickery, Researcher and Director of Cyber Risk Research at security firm Up Guard, discovered a cloud-based Amazon Simple Storage Service (S3) data repository that was fully downloadable and configured to allow public access. The database and its many terabytes of contents could be accessed simply by entering the S3 URL. However, the data was secured, nine days later. The records held logs from residential customers who had called Verizon customer service in the past six months. The data contained sensitive information of millions of customers, including their names, phone numbers, account PINs (personal identification numbers), home address, email address, Verizon account balance, as well as information fields indicating customer satisfaction tracking, such as “Frustration Level”, which is enough for anyone to access an individual's account, even if the account is protected by two-factor authentication.
Eastern Shepherd Analysis of Root Cause:
This event is quite difficult to identify the actual root cause through desk top analysis, however we believe it is due to the following
- Inappropriate server user access controls – the information was available for download on internet for a period of time before being secured again. This suggests that someone who had super user access did not follow the process to ensure to secure the information after completion of his task. Here again we assume that the cloud server service provider had minimum mandatory standards for password controls for users and super users.
- Lack of periodic control testing by verizon to make sure approved and established controls were operating as intended. We couldn’t really establish how the URL for this database was available in public domain on the internet. While the URL was available it is really difficult to comprehend as to why a clean walk through was available to the database.
- Possible weaknesses in security settings configuration.
Eastern Shepherd Recommends :
The risk of third party vendors managing information of organisations is a known Top 10 high risk in the IT and financial services industry. There has been numerous instances of control failure at 3rd party sites. Hence companies have to make sure proper controls are established and also checked on a reasonably periodic basis.
In addition, it is recommended to always use masked formats for sensitive data’s like PIN numbers, account numbers and key contact details.