Verizon Security Incident Exposes 14M Subscribers, Highlights Need For Cloud Security
Personal data on more than 14 million Verizon customers have been reportedly exposed in an incident that highlights the importance of moving data protection practices to the cloud.
The security lapse, first reported on ZDNet and discovered by research firm UpGuard, involved technology supplier Nice Systems, which left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. The data contained names, phone numbers and PINs that could be used to access their Verizon accounts.
The report did not say if hackers had accessed the data, only that it was left exposed and easily accessible by guessing a simple URL that directed to the improperly configured cloud drive.
[Related: 10 Companies To Watch In Cloud Security]
The report said up to 14 million subscribers were affected, about 10 percent of Verizon's 108 million total subscribers. The subscribers affected were primarily those who called Verizon's customer services line in the last six months, the report said.
Ra'anana, Israel-based Nice Systems, a $4.7 billion company, counts 85 companies in the Fortune 100 as customers. In addition to customer engagement, the company's crime and compliance unit provides fraud prevention, brokerage compliance, and enterprise-wide case management services for financial institutions and regulatory authorities. It partners with Cisco, Accenture and IBM, among others. Nice records and analyzes customer log records created by Verizon when subscribers call customer service.
Verizon, the Basking Ridge, N.J.-based service provider, downplayed news of the breach on Thursday afternoon, calling the incident "overstated."
A spokesperson for Verizon told CNBC that it has confirmed that beyond Verizon and Nice Systems, only the researcher who brought the issue to Verizon’s attention had accessed the AWS storage drive.
"In other words, there has been no loss or theft of Verizon or Verizon customer information … We regret the incident and apologize to our customers," the spokesperson said.
Michael Goldstein, CEO of Fort Lauderdale, Fla.-based LAN Infotech, said the incident is the latest example of companies needing to step up their game when it comes to cloud security. He said firms need to apply the same level of protections to data in the cloud that they do when it is stored on premises.
"It is a common misconception that my servers are secure with Azure and Amazon. They still need to be patched. That’s the misconception. I really see that across the board," Goldstein said.
Goldstein said this incident, as well as other recent similar events, show the need to get back to security basics, even if data is stored in the cloud. That includes patching, antivirus, backups, and more.
"The basic rules haven’t changed in 30 years – we just call them different things [in the cloud]. That’s what we’re telling all of our engineers and our clients," Goldstein said. "It really is basics. You can’t leave something unsecured like that."
The report of exposed Verizon data comes on the heels of two similar incidents with World Wrestling Entertainment and the Republican National Convention. Both cases involved misconfigured or poorly secured Amazon Web Services S3 storage instances. It is also the second telecom company hit by a security incident this week, following on news that Indian telecom company Reliance Jio was investigating a breach that affected more than 100 million of its clients.