Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Verizon Customer Records Exposed in Security Lapse (zdnet.com)

Posted by msmash on from the security-woes dept.

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.

24 of 44 comments (clear)

  1. Easy to guess web address by Hall · · Score: 1

    "The data was downloadable by anyone with the easy-to-guess web address"

    And there's actually (security) people who go around doing this ?? Well, I realize there are, but it's still pretty freaking strange to do !

    1. Re:Easy to guess web address by Mycroft-X · · Score: 1

      They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

    2. Re:Easy to guess web address by ShanghaiBill · · Score: 1

      They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

      If so, they certainly earned their pay. This is a homerun for Nice System's competitors. Much of NS's $1.01B in revenue will be going elsewhere in the future.

  2. I'm not a Verizon customer... by __aaclcg7560 · · Score: 1

    And I haven't changed my Yahoo! email password in 20+ years.

  3. Re:hahahaha by Desler · · Score: 1

    Don't worry. They'll purchase one year of useless identity theft protection to make it right.

  4. No consequences are to be expected by volodymyrbiryuk · · Score: 4, Insightful

    As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

    --
    sudo rm -r -f --no-preserve-root /
    1. Re:No consequences are to be expected by Ol+Olsoc · · Score: 1

      As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

      If the past is any indication in matters of computer seurity in this world, almost everyone will be punished, and praise and promotions doled out for those responsible.

      Levi the janitor will be fired, and they'll call it a job well done.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:No consequences are to be expected by volodymyrbiryuk · · Score: 1

      This happend in Germany to customers of a particular carrier as well. But the scammers got even more sophisticated and managed to get into SS7 and drained O2 customers' bank accounts by phishing login data and intercepting mTANs. Security researchers warned about this for years.

      --
      sudo rm -r -f --no-preserve-root /
    3. Re:No consequences are to be expected by houghi · · Score: 1

      Accountability is a serious issue. Not only in business, but also in policing and politics. The fact is that many things are decided legally and not morally.

      It is a bit like sleeping with your best friends SO. If they then hit you in the face with a brick, you legally did nothing wrong, but you well deserved the brick in your face. (Yes, the SO as well, but that is a separate issue.)

      --
      Don't fight for your country, if your country does not fight for you.
  5. Exposed PIN numbers of Wireless customers by 140Mandak262Jamuna · · Score: 1

    The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.

    Why would they record the pin in plain text in the log files? Irrespective of the leak to public domain, this would expose pins of all customers to all employees who can log in? Stupid to the core.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Exposed PIN numbers of Wireless customers by 140Mandak262Jamuna · · Score: 2
      So Verizon contracts with some company to analyze customer interactions in real time. They provide them with their raw logs. The logs contain pin numbers and cell phone numbers. Recording the password in plaintext in log files itself is a huge security lapse. Any employee with access to the logs can actually mess with any customers account. Then they gave the raw unsanitized logs to some third party company. That company has even worse security policy and stores the raw log files in some publicly accessible server.

      In the end all the top brass will find some scape goat. "Our policy guidelines specifically state the security procedures followed should be of the highest order. They violated our guidelines and policy. They are solely responsible!". The people who write the guidelines to protect their rear ends get paid millions of dollars, and they also implement a pay/bonus/promotion/reward system where following the very same guidelines will make your performance very very bad. With a wink and a nod, knowing fully well their policies are not followed, they could not be followed, they exist only as a CMA shield, they carry on.

      Unless we hold the fire the entire chain of command and dock their pay and bonus and clawback past bonuses and pay they would not change.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Exposed PIN numbers of Wireless customers by fisted · · Score: 1

      Recording the password in plaintext in log files itself is a huge security lapse

      If only they were using systemd, avoiding the whole plaintext log files problem.

      --
      CLI paste? paste.pr0.tips!
    3. Re:Exposed PIN numbers of Wireless customers by sims+2 · · Score: 1

      So everything's fine then? I mean I already have a security picture and it makes me enter in a security question each time.

      If there was actually a problem they could just lock all the accounts in question and require a reset of the information in question.

      I just logged in none of that happened.

      --
      Minimum threshold fixed. Thanks!
    4. Re:Exposed PIN numbers of Wireless customers by schleimkeim · · Score: 1

      Why would they record the pin in plain text in the log files?

      Because companies above a certain size just don't give a rats ass.

  6. How Nice probably got the Verizon contract by supremebob · · Score: 1

    Nice Systems probably got the contract because they offered to do the work much faster and cheaper than what Verizon's own staff estimated. Now you know why it was so much cheaper, guys.

    Hell, most IT work in general is a lot easier when you don't have little things like data security to worry about! Just throw it on "the cloud", problem solved!

  7. Re:hahahaha by Tablizer · · Score: 3, Interesting

    Verizon is huge. They can afford to...pay for people who can figure out rudimentary security policies and practices.

    Here's how these things often play out:

    Tech grunt: "Boss, I've identified 7 areas here where our security is lax."

    PHB: "How many hours will it take to plug them?"

    Tech grunt: "About a month's worth of labor."

    PHB: "That would mean project X wouldn't be ready by the deadline, and I wouldn't get my Christmas bonus. Let's fix the security gaps next year."

    --
    Table-ized A.I.
  8. Niiiiice! by thomn8r · · Score: 1

    EOM

  9. The Problem Is... by ZNetracer · · Score: 1

    In my opinion: Almost all internet connected H/W, OS and applications have as-of-yet undiscovered vulnerabilities, even when supposedly patched. At least one major intelligence agency of a "some" State government, has been actively exploiting the above vulnerabilities for at least a decade and has developed a lovely little toolbox of goodies that has for reasons that allude me, been leaked to the hacking, et all., community at large. All entities that collect the most private of data from us have been or will be hacked eventually. Many of those hacked entities will never come clean about it unless publicly burned by someone. There will be little or no recourse or punishment for these entities, even in cases of extreme negligence. Unless maybe a bunch of folks die... With the amount of data that we are required to, encouraged to or coerced into providing various government, financial, medical and retail entities, it's only a matter of time as to when your most sensitive info becomes publicly available. If one is to accept that having your data exposed will be the norm, how do you operate on a day to day basis in that environment? It's not like we can all go off-grid or roll back to paper. Not that that would help anyway...

  10. Verizon States No One but Researcher Accessed Data by Koreantoast · · Score: 2
    Verizon has issued a press release saying that excluding authorized Verizon and Nice employees, the only person to access the files was the researcher who identified the leak.

    Press release here.

    As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

  11. Re:Verizon States No One but Researcher Accessed D by Desler · · Score: 1

    And corporations are well-known for being honest and completely transparent.

  12. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  13. Re: Verizon States No One but Researcher Accessed by spinitch · · Score: 1

    They may have been lucky. Is there any logs to prove? Folks should be advised of precautions just in case.

  14. They will make ... by CaptainDork · · Score: 2

    ... the list.

    World's Biggest Data Breaches

    --
    It little behooves the best of us to comment on the rest of us.
  15. Re:Verizon States No One but Researcher Accessed D by Desler · · Score: 1

    Bullshit.