Millions of customers of the one of the world's top five largest media organisations have had their data exposed in a new breach on a Verizon third party server. In June, cybersecurity company UpGuard discovered that millions of accounts could have been exposed to the web because NICE systems, an Israeli data security/analytics company and Verizon third-party vendor, misconfigured a cloud storage repository.
Verizon confirmed to press today that the details of six million accounts were exposed. NICE separately blamed the leak on human error, unrelated to the company's software, leading to the exposure of data from “an isolated staging area with limited information for a specific project.”
The exposed data includes names, addresses, phone numbers, PINs and other account details, all of which was leaking from an Amazon Web Services S3 bucket, supposedly set up to log customer call data. The repository was configured to allow external access, exposing the millions of accounts held within that storage area to be publically accessible.
Charles Goldberg, senior director of product at Thales e-security, told SC Media UK via email that Amazon S3 buckets are vulnerable to this kind of mistake: “This is not because AWS isn't a secure environment, but rather because even very well trained professionals can find it challenging to manage access controls in AWS; even smart people can mess up. It's quite easy to make a mistake and leave your data exposed.”
UpGuard's Dan O' Sullivan, pointed out in a blog that the exposure of Verizon account PINs along with their associated phone number is particularly worrying considering the proliferation of phones as components of two-factor authentication.
Jeff Nolan, CMO at SecureAuth, told SC that “the fallout from Verizon's latest Amazon S3 leak will be felt for a long time to come.” An attacker with not much more information than what was exposed can merely contact a victim's phone carrier and have the SIM card swapped to a new device. From there what was once the victim's phone is in control of the attacker.
NICE systems has confirmed the breach, as has Verizon although the company was eager to point out that there has been no loss or theft of that data, and that the amount of personal information in the repository was limited.
UpGuard's Chris Vickery discovered the leak on 12 June, reported it on the 13th and it was fixed by the 22nd.
NICE systems released its statement to SC: Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.
This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.