As many as 14 million customers of telecom giant Verizon Communications Inc. (NYSE: VZ) had personal data, including names, addresses, account details and PINs, exposed late last month from a misconfigured cloud-based file repository operated by Israel-based Nice Systems.
CNN reported Wednesday that Verizon had confirmed that personal data on 6 million customers was exposed when Nice failed to set up the cloud-based file properly. A misconfigured security setting on the Amazon.com Inc. (NASDAQ: AMZN) Web Services S3 storage server left the file open to the public. Verizon’s data was temporarily available to anyone who had the public link to the file.
The leak was discovered by cybersecurity firm UpGuard, which alerted Verizon on June 13. The security hole was closed on June 22, according to UpGuard’s report.
In its statement, Verizon emphasized that no customer data was lost or stolen. Dark Reading cited Verizon’s statement:
To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts.
According to UpGuard, the threat was not so benign:
Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.
UpGuard, the company that discovered the leak of nearly 200 million voter records from a Republican Party database, also said that the nine-day delay between the time it notified Verizon and when Verizon closed the hole was “troubling”:
Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises. … This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties.
Verizon stock traded up about 0.4% in the late morning Thursday, at $43.40 in a 52-week range of $42.80 to $56.25. Verizon stock has been the worst-performing of the 30 equities that make up the Dow Jones Industrial Average for some time now. The stock is down nearly 19% since the beginning of 2017.