Verizon Breach and the Importance of Security Coverage
A report published by security research company UpGuard and since confirmed by Verizon indicates that several million sets of confidential user data may have been leaked. The reason for the leak is a misconfigured cloud storage (Amazon Web Services S3 bucket) used by 3rd party vendor NICE, a data analysis company.
What was accessible?
The datasets found by UpGuard contained data apparently related to customer support phone calls including names, addresses and account PINs. Criminals with access to such information could very reasonably impersonate a victim over the phone and then perform any action that legitimate customers may perform on their account.
UpGuard claims that 14 million sets of user data were vulnerable while Verizon has so far only confirmed that 6 million sets were affected.
Why the leak?
The files were found on an Amazon AWS S3 bucket used by NICE.
S3 is a flexible cloud data storage solution offered by Amazon as part of their AWS infrastructure.
According to the report, the S3 bucket was configured to make its contents available over the internet without authorization. This means that anyone who knew or found the URL to the bucket could download all files contained within it. S3 buckets are private by default, but even a simple misconfiguration or coding mistake could lead to one being made publicly accessible. Naturally Amazon is not at fault for someone mishandling technology provided by them.
While the exact reason for Verizon sharing the files with NICE is unknown, it was most likely to perform data analysis on the support calls. This is standard practice for both improving customer support and preventing fraud. The field of data analysis is highly complex, leading to specialized 3rd party vendors performing the analysis of most large organizations.
What is the impact of the leak?
We expect the impact of the leak to be somewhat limited. While the addresses and names leaked may be abused by attackers, they represent relatively low value information on black markets when compared to credit card or social security numbers which are also readily available. The only authenticating information contained in the leak appear to be Verizon customer pins which the company can reset relatively easily.
The damage done to Verizon’s image in the eyes of consumers will be larger but we predict it to be dwarfed by the damage caused to NICE’s image in the eyes of large organization customers.
How can I protect my organization?
The fact that the leaks were caused by NICE, one of the world’s largest data analysis companies with customers ranging from Fortune 500 companies to national governments and still happened due to a basic configuration mistake highlights a critical aspect of information security:
No matter how prestigious a company is and no matter how high their average security levels may be, a single employee can - through malice or a simple mistake - cause massive security issues.
The only viable methods to lessen the risk of such breaches are
- restrictive access controls that limit access to customer and other critical data to isolated networks
- company wide security awareness and skill training for all employees even outside of the IT profession