Verizon data breach happened in 2017. What and how did this happen to the largest wireless carrier in the United States?
Read on to know more.
Verizon Data Breach
Verizon has already risen and apologized to its customers for what happened in 2017. It was when its contractor failed to secure 6 million of its customers’ accounts.
So, they exposed vital and sensitive data like:
- full names
- phone numbers
- account information
- PIN codes. Customers use to verify themselves to Verizon’s phone-based customer service teams
Then, Chris Vickery was the one who discovered this breach. He is a researcher with the cyber risk team at UpGuard, a security vendor.
These data were in an unsecured Amazon Web Services Simple Storage Service (S3) “bucket.” And the one who controlled it was NICE systems. An Israel-based partner of Verizon.
NICE was carrying a residential and small business call center portal. Then, they needed certain data for the project when it happened.
On June 13, UpGuard already told Verizon of the data exposure. But it was only on June 22 that they locked down the bucket.
And as per UpGuard, around 14 million customer data were exposed. But Verizon said it only amounted to up to 6 million user accounts.
Then, Verizon said no customer data was lost or stolen. It’s possible they knew this by analyzing access logs.
Chris Vickery’s exposure to Verizon’s data breach was unintentional. It was part of his efforts to catalog staggering breaches by using the Shodan search engine.
This search engine can find internet-connected systems and cloud instances. Those that are that do not have proper security.
With this, Vickery found out that NICE made a configuration error with the S3 bucket. Thus, making customer data available on the internet.
But Amazon does not let the public access the S3 buckets. It can also be made off-limits.
So, this shines the light that someone at NICE might have turned the security defaults off.
Yet, Verizon downplayed the data exposure. Saying that there were no Social Security numbers or voice recordings exposed. And there were only limited data included.
But this was not received well by security experts. Because while some had their PINs masked, some accounts have their PINs leaked.
The exposure of these PINs may pose a great threat. Attackers can pose as the customer. And trick Verizon into giving them access to their accounts.
Then, having the PIN might be enough for criminals to call Verizon and get a new SIM card. This means they can own the victim’s phone number.
After, they can now receive two-factor authentication codes from online services. Thus, making it possible for criminals to access the victim’s online banking. And other cloud storage providers.
But Verizon said these PINs cannot be used to gain access to a customer’s online account.
Thus, Verizon already learned a lesson with this experience. Good thing there weren’t major attacks that happened in this data breach.
But customers are still wary of the amount of security they get from the provider.
Rate this post: