Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Verizon Privacy Security The Internet

Millions of Verizon Customer Records Exposed in Security Lapse (zdnet.com) 44

Zack Whittaker, reporting for ZDNet: An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.
This discussion has been archived. No new comments can be posted.

Millions of Verizon Customer Records Exposed in Security Lapse

Comments Filter:
  • "The data was downloadable by anyone with the easy-to-guess web address"

    And there's actually (security) people who go around doing this ?? Well, I realize there are, but it's still pretty freaking strange to do !

    • They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

      • They aren't security people, they are marketing people who get to turn the publicity into an advertisement for their company when they find something.

        If so, they certainly earned their pay. This is a homerun for Nice System's competitors. Much of NS's $1.01B in revenue will be going elsewhere in the future.

  • And I haven't changed my Yahoo! email password in 20+ years.
  • by volodymyrbiryuk ( 4780959 ) on Wednesday July 12, 2017 @01:32PM (#54795331)
    As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.
    • As long as lax security doesn't have a significant negative financial impact on companies like Verizon nothing will happen.

      If the past is any indication in matters of computer seurity in this world, almost everyone will be punished, and praise and promotions doled out for those responsible.

      Levi the janitor will be fired, and they'll call it a job well done.

    • Comment removed based on user account deletion
    • Comment removed based on user account deletion
  • The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.

    Why would they record the pin in plain text in the log files? Irrespective of the leak to public domain, this would expose pins of all customers to all employees who can log in? Stupid to the core.

    • So Verizon contracts with some company to analyze customer interactions in real time. They provide them with their raw logs. The logs contain pin numbers and cell phone numbers. Recording the password in plaintext in log files itself is a huge security lapse. Any employee with access to the logs can actually mess with any customers account. Then they gave the raw unsanitized logs to some third party company. That company has even worse security policy and stores the raw log files in some publicly accessible
      • by fisted ( 2295862 )

        Recording the password in plaintext in log files itself is a huge security lapse

        If only they were using systemd, avoiding the whole plaintext log files problem.

      • by sims 2 ( 994794 )

        So everything's fine then? I mean I already have a security picture and it makes me enter in a security question each time.

        If there was actually a problem they could just lock all the accounts in question and require a reset of the information in question.

        I just logged in none of that happened.

    • Why would they record the pin in plain text in the log files?

      Because companies above a certain size just don't give a rats ass.

  • Nice Systems probably got the contract because they offered to do the work much faster and cheaper than what Verizon's own staff estimated. Now you know why it was so much cheaper, guys.

    Hell, most IT work in general is a lot easier when you don't have little things like data security to worry about! Just throw it on "the cloud", problem solved!

  • EOM
  • In my opinion: Almost all internet connected H/W, OS and applications have as-of-yet undiscovered vulnerabilities, even when supposedly patched. At least one major intelligence agency of a "some" State government, has been actively exploiting the above vulnerabilities for at least a decade and has developed a lovely little toolbox of goodies that has for reasons that allude me, been leaked to the hacking, et all., community at large. All entities that collect the most private of data from us have been or
  • Verizon has issued a press release saying that excluding authorized Verizon and Nice employees, the only person to access the files was the researcher who identified the leak.

    Press release here. [verizon.com]

    As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

  • by CaptainDork ( 3678879 ) on Thursday July 13, 2017 @12:30AM (#54798697)

    ... the list [informatio...utiful.net].

    World's Biggest Data Breaches

"Most of us, when all is said and done, like what we like and make up reasons for it afterwards." -- Soren F. Petersen

Working...