Different sources are reporting different numbers, but the personal information on between 6 million and 14 million Verizon Wireless customers has been exposed.
The information includes name, address, phone number, general information on calls made to customer service and, in some cases, the user’s security PIN.
The details of this are going to sound all too familiar.
- The data was stored in the Amazon cloud
- The data was not password protected
- The data was not encrypted
- The data was not stored there by Verizon, but rather a third party business partner.
The partner, Nice Systems of Israel, said that the data was exposed as a result of a configuration error. I am reasonably confident that this is true, but that doesn’t seem to make any difference, really.
Like the recent discovery of the large Republican voter data leak, this leak was also discovered by Upguard; specifically researcher Chris Vickery.
Unlike some of the other leaks which got taken down immediately, it took Verizon 9 days to lock up this data.
Verizon is claiming that no data was “stolen”, but Vickery says that due to the nature of this Amazon S3 service, there is no way that Verizon could know that. While both sides have a vested interest in this fight, I would tend to side with Upguard in this case.
This seems like a broken record to me –
What do you need to be doing –
#1 – You’ve got to set up a third party cyber risk management program. Verizon is going to take the heat in this case, but it is is NICE’s screw up. The third party risk management program is designed to make sure that vendors have security controls in place.
Verizon is taking the heat because the customers have the relationship with Verizon, not NICE. In fact, until today, most customers have never heard of NICE. This is Verizon’s problem and they have to own it. So far, all I have heard is a bit of spin – not to worry; nothing to see – keep moving. That does not inspire confidence.
#2 – Amazon. Amazon. Amazon. While this is definitely not Amazon’s fault, at this point, every company that uses any cloud services – or allows their business partners to use cloud services – needs to be checking cloud permissions very carefully. With great power comes great responsibility.
#3 – Have an incident response plan in place. By Verizon saying that there was nothing to worry about without any explanation isn’t very comforting. They need to work on the bedside manner (or in this case, their cloudside manner). You have to give people a better story than don’t worry.
Why did it take Verizon 9 days to lock down this data. Sounds like their incident response program needs some work.
While this could have happened to anyone – and has happened to several companies just in the last month, given all the occurrences that we have seen recently, companies need to step up their game or they will get skewered in the court of public opinion.
Information for this post came from Slashgear.