In a significant data breach, Verizon, one of the leading telecommunications providers in the United States, has exposed the personal information of over 14 million customers. This incident occurred due to an oversight by NICE Systems, a third-party vendor, which inadvertently left sensitive user data accessible on an unsecured server.
Chris Vickery, a noted researcher and director of cyber risk research at UpGuard, discovered this exposed information on an unprotected Amazon S3 cloud server, configured to allow public access. The data comprised crucial customer details such as names, phone numbers, and account PINs—elements critical for account access, even surpassing the protective measures offered by two-factor authentication.
Dan O’Sullivan from UpGuard highlighted the gravity of this breach, stating that the exposure of Verizon account PINs alongside associated phone numbers presents particularly alarming risks. NICE Systems, an Israeli firm specializing in solutions for intelligence agencies—including data security and surveillance—has been the focus of scrutiny in light of this incident.
It remains unclear why Verizon permitted a third-party company to manage its users’ call information. However, it appears that NICE Systems has been tasked with monitoring the efficiency of Verizon’s call center operators. The compromised data includes records of customer interactions with Verizon’s customer service over the past six months, collected and analyzed by NICE.
Moreover, reports indicate that NICE Systems collaborates with the European telecommunications giant, Orange, to gather customer data across Europe and Africa. This partnership elevates concerns regarding the management of sensitive data by third-party vendors, underscoring the vulnerabilities that businesses face when outsourcing critical functions.
The incident underscores the tactics and techniques from the MITRE ATT&CK framework that may have been employed during this breach. Techniques like initial access and data exposure could have been pivotal given the unprotected nature of the server and the shared access that allowed public downloads of sensitive information.
Vickery alerted Verizon’s security team to the exposed data in late June, leading to a swift remediation of the situation within a week. Known for his track record of identifying unsecured datasets, Vickery previously uncovered major leaks, including a dataset from Deep Root Analytics that compromised information from over 198 million US citizens.
In light of this breach, it is critical for businesses to assess their cybersecurity measures carefully. The use of third-party vendors, while beneficial, introduces notable risks related to data handling and customer privacy.
This incident serves as a cautionary tale, illustrating the vital need for robust security protocols when engaging with external partners. As the cyber landscape evolves, businesses must remain vigilant and proactive in safeguarding sensitive information to mitigate the risks associated with potential data breaches.
