The personal data of as many as 14 million U.S. Verizon customers has been exposed in a publicly accessible server owned and operated by a third-party vendor.
NICE Systems, an Israeli firm that provides call center and back-office operations for Verizon, administered the server that contained customer names, addresses, account details and account personal identification numbers (PINS), according to a new report from UpGuard’s Cyber Risk Team, who discovered the breach.
Given NICE Systems’ history of supplying technology for state-sponsored — and often intrusive — surveillance, these findings are concerning, the report stated.
“This offshore logging of Verizon customer information in a downloadable repository should be alarming to all customers who entrust their private data to major US companies, only to see it shared with unknown parties,” the report reads.
The data was stored in an Amazon Web Services S3 bucket that “appears to have been created to log customer data for unknown purposes” and was configured for public access, meaning that anyone possessing the url could access and download its contents, according to UpGuard.
“Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning,” the report states. Scammers could used these PIN codes to gain access to accounts, which UpGuard says is “an especially threatening prospect” as two-factor authentication increases its reliance on mobile communications.
PINS were masked in some of the records, which appeared to be configured to automatically log daily files that also included records of calls to a customer support line, customer satisfaction tracking and service purchase records, according to the report.
UpGuard notified Verizon, the largest wireless telecommunications carrier in the United States, of the breach on June 13. The breach was ultimately remedied on June 22.
Internal data from another NICE Systems partner, French telecommunications corporation and European data market Verizon competitor Orange S.A., is also stored on the exposed server.
UpGuard stated in the report that this incident is indicative of the risk shared by third-party vendors in holding sensitive data.
“The prospect of a host of your applications and digital accounts being compromised from one third-party vendor’s exposure of data is not science fiction, but the unfortunate reality of cyber risk today,” the report concluded.