Millions of Verizon Customer Records Exposed in Security Lapse

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.

No consequences are to be expected

[volodymyrbiryuk]

As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

Re:Exposed PIN numbers of Wireless customers

[140Mandak262Jamuna]

So Verizon contracts with some company to analyze customer interactions in real time. They provide them with their raw logs. The logs contain pin numbers and cell phone numbers. Recording the password in plaintext in log files itself is a huge security lapse. Any employee with access to the logs can actually mess with any customers account. Then they gave the raw unsanitized logs to some third party company. That company has even worse security policy and stores the raw log files in some publicly accessible server.

In the end all the top brass will find some scape goat. "Our policy guidelines specifically state the security procedures followed should be of the highest order. They violated our guidelines and policy. They are solely responsible!". The people who write the guidelines to protect their rear ends get paid millions of dollars, and they also implement a pay/bonus/promotion/reward system where following the very same guidelines will make your performance very very bad. With a wink and a nod, knowing fully well their policies are not followed, they could not be followed, they exist only as a CMA shield, they carry on.

Unless we hold the fire the entire chain of command and dock their pay and bonus and clawback past bonuses and pay they would not change.

Re:hahahaha

[Tablizer]

Verizon is huge. They can afford to...pay for people who can figure out rudimentary security policies and practices.

Here's how these things often play out:

Tech grunt: "Boss, I've identified 7 areas here where our security is lax."

PHB: "How many hours will it take to plug them?"

Tech grunt: "About a month's worth of labor."

PHB: "That would mean project X wouldn't be ready by the deadline, and I wouldn't get my Christmas bonus. Let's fix the security gaps next year."

Verizon States No One but Researcher Accessed Data

[Koreantoast]

Verizon has issued a press release saying that excluding authorized Verizon and Nice employees, the only person to access the files was the researcher who identified the leak.

Press release here.

As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

They will make ...

[CaptainDork]

... the list.

World's Biggest Data Breaches