Verizon has acknowledged that millions of customer records, including phone numbers and account PINs, were exposed in a misconfigured cloud database, but says no one aside from a security researcher accessed the data.
The data was in an Amazon cloud bucket administered by a third-party vendor used by Verizon in Israel. Chris Vickery, a researcher at UpGuard, discovered the repository in early June and found that it was configured to allow external access. UpGuard says the repository included data on more than 14 million Verizon customers in the United States, but Verizon said the number is more like six million unique customers.
“The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations,” UpGuard said in a post on the discovery.
Verizon officials said that the data exposure was limited, as no one besides Vickery accessed the repository.
“As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information,” Verizon said in a statement.
“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.”
In response to the incident, Rep. Ted Lieu (D-Calif.) said he’d like to see Congress look into what happened.
“The latest in a series of disturbing data breaches, requesting
@HouseJudiciary @RepGoodlatte hold a hearing on this,” Lieu said on Twitter Thursday.
Verizon also said in its statement that the PINs exposed in the breach aren’t useful for accessing customer accounts online.
“To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts,” the company said.