Slashdot Mirror
1.5 Million Verizon Customer Records Put Up For Sale (arstechnica.com)
An anonymous reader writes: A customer database as well as information about Verizon security flaws were reportedly put up for sale by criminals this week after a data breach at Verizon Enterprise Solutions. According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site," security journalist Brian Krebs reported. Verizon has apparently fixed the security flaws and has reassured its customers by saying "our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers" and that "no customer proprietary network information (CPNI) or other data was accessed or accessible."
Every time I hear about a security breach or even just bugs in software, I feel sick to my stomach. Incidents of that sort just wouldn't happen if we were all using Rust for all software. I know there's a lot of software that will take a long time to rewrite in Rust, but that's exactly why we must begin using Rust now. The longer we don't rewrite all of our code in Rust the more at-risk we are. The time to move into the future is now, and the future is Rust.
Is it time for companies to keep most customer records "near-line" instead of "online"?
Yes, this may mean having the company put you on hold for a minute or two while your record gets moved from "near line" to "online" when you call for help, but at least "massive" data breaches will be "less massive."
Question: What's another major advantage of keeping records "near-line" besides fewer victims?
Answer: You can keep track of how many records are being moved in any given period of time and quickly respond if the numbers become anomalous.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The new reality is that everyone should assume their private data is compromised. If you want privacy, you must do something anonymously. Unfortunately, that may not be possible for things like cell phones. After the attacks in Paris, it may not be possible to buy a prepaid SIM card without showing ID. Verizon doesn't take the problem seriously when they're downplaying the breach. Until there are severe penalties for insecure data management (including anything other than social security where an SSN is used as identification), this will continue. Public key encryption can remove the need for secret identifiers, but there's no interest in making this happen. Until then, the new reality is to assume your data is compromised, monitor everything, don't disclose any unnecessary details, and use strong encryption.
There's no such thing as a "near-line" system. If what you're calling the "near-line" system is connected to the online system in any way, then it's essentially online, too. If the online system can be violated, then the intrusion detection measures and the temporary separation that you're talking about can very likely be disabled or defeated, too.
As a fine poet once wrote,
So what you're suggesting just doesn't work in reality. There is no such thing as "near-line". If a system isn't completely isolated, then it's online. Those are the only two possible states: offline, or online.
Verizon Communications made like $131 billion in revenue and $18 billion in profits last year. How is it that a company that fat with money, and that charges some of the highest rates of any ISP, not have the ability to protect its customer records... or perhaps it just doesn't care.
$0.10 per record? Seems high.
Considering Verizon considered Comodo's anti-virus award worthy, it shouldn't come as a surprise that Verizon's own security is full of "excellence" in security holes as well.
Wow, so all of the excessive lock down of the networks at Verizon that make life difficult for their suppliers, those NSA regulations as well, that require everyone who accesses their network to be in the USA to even think about logging-in into a server, those didn't help did they?
Nope, funny isn't it? You try to keep the criminals and bad guys out by assuming that only people outside of the US could possibly want to hurt Americans... guess what? You got your own problems.
My account was hacked about two weeks prior to me reading this post. They person was able to get into my account ,change my mailing address, and order and iPad with no Verizon person questioning this. Their response was to only change my account to require anyone making purchases on my account to show up in person at a Verizon outlet. I changed all of my information to login, but I'm not convinced that Verizon gives a damn about security.
1.5 Million Verizon Customer Records Put Up For Sale
At first I wondered why this is news. Isn't this just Verizon doing business as usual? What's so unusual about that?
Then I saw it was about criminals.
So I guess when it's criminals doing the selling, then it's news. But when the company itself sells its own customer data, it's not news.
Do I have that right?
I have to wonder if the value and mostly anonymous nature of Bitcoins are enabling these kinds of deals. I'm not saying Bitcoin is necessarily evil, but do I have to wonder to myself, would these kinds of ransoms and/or sales of stolen data be as easily possible without Bitcoin?
Auction to allocate the exploration and exploitation rights of a coal mine