Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Verizon Customer Records Exposed in Security Lapse (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.

44 comments

  1. hahahaha by Anonymous Coward · · Score: 0

    but, really, it's not funny. Verizon is huge. They can afford to, and should, pay for people who can figure out rudimentary security policies and practices.

    1. Re:hahahaha by Desler · · Score: 1

      Don't worry. They'll purchase one year of useless identity theft protection to make it right.

    2. Re:hahahaha by Anonymous Coward · · Score: 0

      Exactly. I went through this with Anthem, and others, and still don't feel safe. The data are out their and a way to use/abuse hasn't been determined.

    3. Re:hahahaha by Tablizer · · Score: 3, Interesting

      Verizon is huge. They can afford to...pay for people who can figure out rudimentary security policies and practices.

      Here's how these things often play out:

      Tech grunt: "Boss, I've identified 7 areas here where our security is lax."

      PHB: "How many hours will it take to plug them?"

      Tech grunt: "About a month's worth of labor."

      PHB: "That would mean project X wouldn't be ready by the deadline, and I wouldn't get my Christmas bonus. Let's fix the security gaps next year."

      --
      Table-ized A.I.
  2. Easy to guess web address by Hall · · Score: 1

    "The data was downloadable by anyone with the easy-to-guess web address"

    And there's actually (security) people who go around doing this ?? Well, I realize there are, but it's still pretty freaking strange to do !

    1. Re:Easy to guess web address by Mycroft-X · · Score: 1

      They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

    2. Re:Easy to guess web address by ShanghaiBill · · Score: 1

      They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

      If so, they certainly earned their pay. This is a homerun for Nice System's competitors. Much of NS's $1.01B in revenue will be going elsewhere in the future.

  3. I'm not a Verizon customer... by __aaclcg7560 · · Score: 1

    And I haven't changed my Yahoo! email password in 20+ years.

    1. Re:I'm not a Verizon customer... by Anonymous Coward · · Score: 0

      But you do drag your lardass around from buffet to buffet to shove pounds of food down your gullet.

    2. Re:I'm not a Verizon customer... by Anonymous Coward · · Score: 0

      password is "dale"

    3. Re:I'm not a Verizon customer... by Anonymous Coward · · Score: 0

      I got Amazon Dot. Where are my cock eggs?

    4. Re:I'm not a Verizon customer... by Anonymous Coward · · Score: 0

      In your anus.

  4. No consequences are to be expected by volodymyrbiryuk · · Score: 4, Insightful

    As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

    --
    sudo rm -r -f --no-preserve-root /
    1. Re:No consequences are to be expected by Anonymous Coward · · Score: 0

      It gets even more lax than this....

      Approximately a month ago, my cell phone number was ported away from my T-Mobile account to a pre-paid Verizon cell phone that someone had bought and then used to steal my user account and password info from my bank account so that they could change it and log in and attempt to steal money. They got about half of what they were trying to get, which the bank is reimbursing me for. My bank, like many others, uses SMS for its "two factor authentication".

      When I talked to T-Mobile, they told me that carrier to carrier number transfers are not checked for authorization because the sender presumes that the receiver has done all of the proper due diligence checks.

      When I called Verizon, who I have never had a cell phone with and asked them how someone could port MY number away from T-Mobile, they told me that all they needed was my name and phone number if it was a pre-paid phone as they do no credit verification on pre-paid phones, so no other personal information is needed. They just assume that you are the legit "owner" of the number.

      It's possible that both Verizon and T-Mobile phone lackeys had no idea what they were talking about, but given the lax security of what happened with this particular disclosure, it wouldn't surprise me if this information was accurate.

    2. Re:No consequences are to be expected by Ol+Olsoc · · Score: 1

      As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

      If the past is any indication in matters of computer seurity in this world, almost everyone will be punished, and praise and promotions doled out for those responsible.

      Levi the janitor will be fired, and they'll call it a job well done.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:No consequences are to be expected by volodymyrbiryuk · · Score: 1

      This happend in Germany to customers of a particular carrier as well. But the scammers got even more sophisticated and managed to get into SS7 and drained O2 customers' bank accounts by phishing login data and intercepting mTANs. Security researchers warned about this for years.

      --
      sudo rm -r -f --no-preserve-root /
    4. Re:No consequences are to be expected by houghi · · Score: 1

      Accountability is a serious issue. Not only in business, but also in policing and politics. The fact is that many things are decided legally and not morally.

      It is a bit like sleeping with your best friends SO. If they then hit you in the face with a brick, you legally did nothing wrong, but you well deserved the brick in your face. (Yes, the SO as well, but that is a separate issue.)

      --
      Don't fight for your country, if your country does not fight for you.
  5. ISO 9000 by Anonymous Coward · · Score: 0

    The manufacturing industry has standards and certifications to help ensure the quality of the materials that originate from downstream suppliers. This also helps to assign liability.

    There needs to be something similar for privacy since so much is outsourced there seems to be no control at all. And, of course, there needs to be serious civil and criminal liabilities for every breach.

  6. But let's keep a list of incompetence and stupid by Anonymous Coward · · Score: 0

    Yahoo!
    Verizon
    Anthem
    MORE Incompetent, unethical moronic assholes.

    There is ZERO excuse.

    And the shitty part is that it is up to the victim to clean up the mess and be on the lookout. WE have to deal with it when someone files income tax in our name. We have to deal with the ramification. We have to deal the debt - the debt collections calls for assholes (ALL debt collectors are crooked assholes and deserve to get sued. Every single one of them.)

    So, Verizon is now on the list of stupid unethical companies.

  7. Exposed PIN numbers of Wireless customers by 140Mandak262Jamuna · · Score: 1

    The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.

    Why would they record the pin in plain text in the log files? Irrespective of the leak to public domain, this would expose pins of all customers to all employees who can log in? Stupid to the core.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Exposed PIN numbers of Wireless customers by 140Mandak262Jamuna · · Score: 2
      So Verizon contracts with some company to analyze customer interactions in real time. They provide them with their raw logs. The logs contain pin numbers and cell phone numbers. Recording the password in plaintext in log files itself is a huge security lapse. Any employee with access to the logs can actually mess with any customers account. Then they gave the raw unsanitized logs to some third party company. That company has even worse security policy and stores the raw log files in some publicly accessible server.

      In the end all the top brass will find some scape goat. "Our policy guidelines specifically state the security procedures followed should be of the highest order. They violated our guidelines and policy. They are solely responsible!". The people who write the guidelines to protect their rear ends get paid millions of dollars, and they also implement a pay/bonus/promotion/reward system where following the very same guidelines will make your performance very very bad. With a wink and a nod, knowing fully well their policies are not followed, they could not be followed, they exist only as a CMA shield, they carry on.

      Unless we hold the fire the entire chain of command and dock their pay and bonus and clawback past bonuses and pay they would not change.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Exposed PIN numbers of Wireless customers by fisted · · Score: 1

      Recording the password in plaintext in log files itself is a huge security lapse

      If only they were using systemd, avoiding the whole plaintext log files problem.

      --
      CLI paste? paste.pr0.tips!
    3. Re:Exposed PIN numbers of Wireless customers by sims+2 · · Score: 1

      So everything's fine then? I mean I already have a security picture and it makes me enter in a security question each time.

      If there was actually a problem they could just lock all the accounts in question and require a reset of the information in question.

      I just logged in none of that happened.

      --
      Minimum threshold fixed. Thanks!
    4. Re:Exposed PIN numbers of Wireless customers by schleimkeim · · Score: 1

      Why would they record the pin in plain text in the log files?

      Because companies above a certain size just don't give a rats ass.

  8. How Nice probably got the Verizon contract by supremebob · · Score: 1

    Nice Systems probably got the contract because they offered to do the work much faster and cheaper than what Verizon's own staff estimated. Now you know why it was so much cheaper, guys.

    Hell, most IT work in general is a lot easier when you don't have little things like data security to worry about! Just throw it on "the cloud", problem solved!

  9. NICE sells spy software to dictatorships by Anonymous Coward · · Score: 0

    NICE Systems was also exposed as a reseller for Hacking Team's software: https://motherboard.vice.com/en_us/article/kbzj4z/meet-the-companies-that-helped-hacking-team-sell-tools-to-repressive-governments

  10. Niiiiice! by thomn8r · · Score: 1

    EOM

    1. Re:Niiiiice! by Anonymous Coward · · Score: 0

      Nice Systems' professionalism isn't so nice. :-(

  11. Re:You know what else is exposed? by Anonymous Coward · · Score: 0

    I'm not sucking anything that's been in your mom's mouth.

  12. The Problem Is... by ZNetracer · · Score: 1

    In my opinion: Almost all internet connected H/W, OS and applications have as-of-yet undiscovered vulnerabilities, even when supposedly patched. At least one major intelligence agency of a "some" State government, has been actively exploiting the above vulnerabilities for at least a decade and has developed a lovely little toolbox of goodies that has for reasons that allude me, been leaked to the hacking, et all., community at large. All entities that collect the most private of data from us have been or will be hacked eventually. Many of those hacked entities will never come clean about it unless publicly burned by someone. There will be little or no recourse or punishment for these entities, even in cases of extreme negligence. Unless maybe a bunch of folks die... With the amount of data that we are required to, encouraged to or coerced into providing various government, financial, medical and retail entities, it's only a matter of time as to when your most sensitive info becomes publicly available. If one is to accept that having your data exposed will be the norm, how do you operate on a day to day basis in that environment? It's not like we can all go off-grid or roll back to paper. Not that that would help anyway...

    1. Re:The Problem Is... by Anonymous Coward · · Score: 0

      If one is to accept that having your data exposed will be the norm, how do you operate on a day to day basis in that environment?

      Simple. Proceed as if you have no secrets or "sensitive info". In fact, you don't. Pretending otherwise and acting to "protect" this fantasy is unproductive.

      If we can admit this, we can solve the problem of data misuse with a combination of public policy, legal sanctions and moral suasion, depending on the situation. E.g. it is illegal to ask certain questions about race or disability in some contexts. This system isn't foolproof, obviously. But everyone has secrets could get them blackballed from a job/loan/lease. Perhaps everyone would care a little more about the fair treatment of people who's "negative" information can not currently be kept "private", if their perception of privacy were to evaporate.

  13. Verizon States No One but Researcher Accessed Data by Koreantoast · · Score: 2
    Verizon has issued a press release saying that excluding authorized Verizon and Nice employees, the only person to access the files was the researcher who identified the leak.

    Press release here.

    As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

  14. Re:Verizon States No One but Researcher Accessed D by Desler · · Score: 1

    And corporations are well-known for being honest and completely transparent.

  15. Re:Verizon States No One but Researcher Accessed D by Anonymous Coward · · Score: 0

    And corporations are well-known for being honest and completely transparent.

    And customers are well-known for refusing to do business with companies that fumble their data onto the internet.

  16. The only security anyone cares about is Killary's by Anonymous Coward · · Score: 0

    Nothing to see here, move along...

  17. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  18. Re: Verizon States No One but Researcher Accessed by spinitch · · Score: 1

    They may have been lucky. Is there any logs to prove? Folks should be advised of precautions just in case.

  19. They will make ... by CaptainDork · · Score: 2

    ... the list.

    World's Biggest Data Breaches

    --
    It little behooves the best of us to comment on the rest of us.
  20. 911 by Anonymous Coward · · Score: 0

    NICE is also tied in to the Next Gen 911 contracts. When you hear 911 recordings played on the news or in court chances are they came from NICE

  21. Nobody asking by Anonymous Coward · · Score: 0

    Why is an Israeli company handling domestic communications related data? Why are so many Israelis in Washington? Why are so many Israelis in Hollywood? Why are so many Israelis in the financial sector? Why are so many Israelis running the news media?

    1. Re:Nobody asking by Anonymous Coward · · Score: 0

      "Why is an Israeli company handling domestic communications related data?"
      Its plausible deniability thing, these Israeli companies work for Mossad and Mossad likely gives this info to NSA if they feel like it.

      "Why are so many Israelis in Washington?"
      "Why are so many Israelis in Hollywood?"
      "Why are so many Israelis in the financial sector?"
      "Why are so many Israelis running the news media?"

      The Jews have for hundreds of years been living in countries where they have been apart from the rest of the population.
      In some countries Jews have been limited to very select occupations Banker, Jeweler, Property Manager... I think in general its triggered a selective breeding for intelligence and a cultural interest in operating the levers of control.

  22. no kiddin by Anonymous Coward · · Score: 0

    any time I want to find something like a pay PDF, i just google it and usually turn up an aws share with it

  23. Re:Verizon States No One but Researcher Accessed D by Desler · · Score: 1

    Bullshit.