Millions of Verizon Customer Records Exposed in Security Lapse (zdnet.com) 44
Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.
Re: (Score:1)
Don't worry. They'll purchase one year of useless identity theft protection to make it right.
Re: (Score:3, Interesting)
Here's how these things often play out:
Tech grunt: "Boss, I've identified 7 areas here where our security is lax."
PHB: "How many hours will it take to plug them?"
Tech grunt: "About a month's worth of labor."
PHB: "That would mean project X wouldn't be ready by the deadline, and I wouldn't get my Christmas bonus. Let's fix the security gaps next year."
Easy to guess web address (Score:2)
"The data was downloadable by anyone with the easy-to-guess web address"
And there's actually (security) people who go around doing this ?? Well, I realize there are, but it's still pretty freaking strange to do !
Re: (Score:2)
They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.
Re: (Score:2)
They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.
If so, they certainly earned their pay. This is a homerun for Nice System's competitors. Much of NS's $1.01B in revenue will be going elsewhere in the future.
I'm not a Verizon customer... (Score:2)
No consequences are to be expected (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.
If the past is any indication in matters of computer seurity in this world, almost everyone will be punished, and praise and promotions doled out for those responsible.
Levi the janitor will be fired, and they'll call it a job well done.
Re: (Score:2)
Re: (Score:2)
Exposed PIN numbers of Wireless customers (Score:2)
The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.
Why would they record the pin in plain text in the log files? Irrespective of the leak to public domain, this would expose pins of all customers to all employees who can log in? Stupid to the core.
Re: (Score:3)
Re: (Score:2)
Recording the password in plaintext in log files itself is a huge security lapse
If only they were using systemd, avoiding the whole plaintext log files problem.
Re: (Score:2)
So everything's fine then? I mean I already have a security picture and it makes me enter in a security question each time.
If there was actually a problem they could just lock all the accounts in question and require a reset of the information in question.
I just logged in none of that happened.
Re: (Score:1)
Why would they record the pin in plain text in the log files?
Because companies above a certain size just don't give a rats ass.
How Nice probably got the Verizon contract (Score:2)
Nice Systems probably got the contract because they offered to do the work much faster and cheaper than what Verizon's own staff estimated. Now you know why it was so much cheaper, guys.
Hell, most IT work in general is a lot easier when you don't have little things like data security to worry about! Just throw it on "the cloud", problem solved!
Niiiiice! (Score:2)
The Problem Is... (Score:1)
Verizon States No One but Researcher Accessed Data (Score:3)
Press release here. [verizon.com]
As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.
Re: (Score:1)
And corporations are well-known for being honest and completely transparent.
Re: (Score:1)
Bullshit.
Re: Verizon States No One but Researcher Accessed (Score:1)
They will make ... (Score:3)
... the list [informatio...utiful.net].
World's Biggest Data Breaches