1.5 Million Verizon Customer Records Put Up For Sale

An anonymous reader writes: A customer database as well as information about Verizon security flaws were reportedly put up for sale by criminals this week after a data breach at Verizon Enterprise Solutions. According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site," security journalist Brian Krebs reported. Verizon has apparently fixed the security flaws and has reassured its customers by saying "our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers" and that "no customer proprietary network information (CPNI) or other data was accessed or accessible."

Re:the new reality

[Locke2005]

Phone companies just don't care. My ex went into T-Mobile and walked out with $406 worth of equipment, charging the whole thing to an equipment purchase installment plan. The only problem is, she gave them my phone number, and they charged it to my account! She even gave them her Oregon Driver's license so they didn't charge her sales tax, but at no point did the friendly salesperson think to check that the name, address, and phone number listed at the top of the contract actually matched the name of the person that signed it! (They took it off my account and charged it to hers instead only when I complained in person.)

Re:There is no such thing as "near-line".

[davidwr]

What I envisioned was an offline system that could retrieve data in a matter of minutes, with a "skinny pipe, heavily alarmed with independent monitoring equipment" system sitting between the offline storage system and the "main, online" system. "Skinny pipe" to make it physically impossible to do a wholesale data dump in a short period of time, and "heavily alarmed with independent monitoring equipment" so the alarms can't be hacked through normal means (they could be hacked by social engineering or perhaps by side-channel attacks, but the latter is hard and the former can be controlled by limiting access to a few well-trained, loyal individuals).

Essentially this is the computer equivalent of having a locked file-room with only 1 person allowed to access it, with several well-trained, highly-observant, loyal-to-the-company people watching that one person and raising an alarm any time that person's behavior was out-of-the-ordinary. That person would retrieve data from the locked file-room upon request and store changed files upon request, with all transactions logged for audit purposes.

The analogy breaks down since the "main, online" part of the computerized system would have to purge its copies of data after a short period of time - typically hours or days but in some use cases perhaps in seconds or, for that matter, weeks, and that capability isn't reflected in the analogy above.