Cyber resilience business UpGuard has blogged that sensitive information about 14mn Verizon customers, including phone numbers and account PINs, were exposed because of lax security at one of Verizon’s suppliers. They stated that…
…a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.
Many of you will have heard of Nice Systems. Ironically, Nice’s services are focused on security, fraud prevention and customer experience. Nice are suppliers to a large number of telcos as well as banks and other big businesses.
Verizon subsequently stated that UpGuard’s numbers overstated the risk, and that the impact was limited to 6mn customers.
UpGuard discovered the issue when their Director of Cyber Risk Research, Chris Vickery, identified a cloud-based Amazon S3 data repository which was fully downloadable and configured to allow public access. As they put it:
The database and its many terabytes of contents could thus be accessed simply by entering the S3 URL.
Verizon may not be the only telco impacted by Nice’s mistake. UpGuard noted that they also found French-language files on the server which contained data from Orange.
Nice’s failure will be a blow to advocates of cloud-based outsourcing of data analysis and management. UpGuard cogently explained the problem:
This exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.
I always argue that managing activities in-house is no guarantee of better protection, because your own staff and systems may be less competent or capable than those of a well-chosen supplier. However, this incident shows how big businesses may put their trust in suppliers that have a complacent attitude to securing data. The mistake made by Nice was completely avoidable. Amazon secures its servers by default, so somebody at Nice changed the security settings by design or accident. Any business relying on Nice to collect and maintain sensitive data should be asking the Israeli company some very hard questions right now.
UpGuard’s blog about the incident can be found here. It is well worth reading.