Millions of Verizon customer records were left exposed in a loosely secured database by an Israeli technology company.
Up to 14 million customer records were gathered over the last six months from the largest telecommunications company in the United States were found on an unprotected Amazon storage server controlled by Nice Systems.
These Verizon records were discovered by Chris Vickery, director of cyber risk researcher at security company UpGuard. Included in this massive database were log files of communications from Verizon customers who had called customer service.
The records included customer names, cell phone numbers and account PIN––a security layer that if acquired could allow anyone to access the subscriber's account.
What can attacker do with the stolen records?
If an attacker were to gain access a person's PIN, they could theoretically hijack the victim's Verizon account and phone number. This type of take over would give the attacker the ability to intercept two-factor authentication messages, bypassing additional protection on the victim's other accounts.
The database also contained hundreds of additional information for each account, including the customer's type of subscription plan, the balance on their account, and if the customer is a member of the federal government.
Nice Systems, the company responsible for the server that housed the information, had access to the data to analyze customer service call experience. The Israel-based company listens to the recorded service calls to help improve the customer experience and used the account records to verify caller information. The company generates a "frustration score" for each call by detecting certain words or phrases spoken during the interactions with Verizon support staff.
Verizon was informed in late June of the database that left millions of customer's account details exposed. It took over a week before the telecom giant and its partner Nice Systems finally secured the server.
"This breach once again demonstrates the fact that cloud services like [Amazon Web Services] can be secure, but it is up to organizations using them to ensure that services are configured in a secure fashion," Rich Campagna, CEO of cloud security firm Bitglass told International Business Times.
Campagna called the unprotected Verizon server a "massive data leak" that could have been avoided with the right security measures. "Companies like Verizon must put policies in place that require third-party vendors like Nice to adequately protect any customer data that touches the cloud," he said.
The Verizon customer data is just the latest to be exposed by an unprotected server. Earlier this month, personal information of more than three million WWE wrestling fans was left exposed online in a servers, likely by a marketing company.
Even more troubling, earlier this year nearly 200 million voter registration files that could be used to identify American voters were discovered on an unsecured server. The records were also discovered on an unprotected Amazon server, which is owned by Republican data analytics firm Deep Root Analytics.
The database, which has since been secured, contained voter names, dates of birth, home addresses, phone numbers and voter registration details including party affiliation. The data also had the voters ethnicity and religion.
