Slack Supplier Exposes Verizon Customer Records

Cyber resilience business UpGuard has blogged that sensitive information about 14mn Verizon customers, including phone numbers and account PINs, were exposed because of lax security at one of Verizon’s suppliers. They stated that…

…a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.

Many of you will have heard of Nice Systems. Ironically, Nice’s services are focused on security, fraud prevention and customer experience. Nice are suppliers to a large number of telcos as well as banks and other big businesses.

Verizon subsequently stated that UpGuard’s numbers overstated the risk, and that the impact was limited to 6mn customers.

UpGuard discovered the issue when their Director of Cyber Risk Research, Chris Vickery, identified a cloud-based Amazon S3 data repository which was fully downloadable and configured to allow public access. As they put it:

The database and its many terabytes of contents could thus be accessed simply by entering the S3 URL.

Verizon may not be the only telco impacted by Nice’s mistake. UpGuard noted that they also found French-language files on the server which contained data from Orange.

Nice’s failure will be a blow to advocates of cloud-based outsourcing of data analysis and management. UpGuard cogently explained the problem:

This exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.

I always argue that managing activities in-house is no guarantee of better protection, because your own staff and systems may be less competent or capable than those of a well-chosen supplier. However, this incident shows how big businesses may put their trust in suppliers that have a complacent attitude to securing data. The mistake made by Nice was completely avoidable. Amazon secures its servers by default, so somebody at Nice changed the security settings by design or accident. Any business relying on Nice to collect and maintain sensitive data should be asking the Israeli company some very hard questions right now.

UpGuard’s blog about the incident can be found here. It is well worth reading.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.