Millions of Verizon customer records exposed in security lapse

[Richard Forno <rforno () infowarrior org>]

Millions of Verizon customer records exposed in security lapse

Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed.
 
By Zack Whittaker for Zero Day | July 12, 2017 -- 13:00 GMT (06:00 PDT) | Topic: Security

An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned.

As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were 
found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based 
company.

Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer 
engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 
revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest 
industry in terms of customers, with telecom companies such as Verizon a key  vertical. The company has more than 
25,000 customers in about 150 countries.

Privacy watchdogs have linked the company to several government intelligence agencies, and it's known to work closely 
with surveillance and phone cracking firms Hacking Team and Cellebrite. In regulatory filings with the Securities and 
Exchange Commission, Nice noted that it can't control what customers do with its software. "Our products may also be 
intentionally misused or abused by clients who use our products," said Nice in its annual report.

Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of 
the exposure shortly after it was discovered in late-June.

It took over a week before the data was eventually secured.

The customer records were contained in log files that were generated when Verizon customers in the last six months 
called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize 
intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account 
holders and to improve customer service.

Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant 
anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition 
of anonymity as they were not authorized to speak to the press.

Several security experts briefed on the exposure prior to publication warned of phone hijacking and account takeovers, 
which could allow hackers to break into a person's email and social media accounts protected even by two-factor 
authentication.

Verizon has over 108 million post-paid wireless customers.

Six folders for each month from January through to June contained several daily log files, apparently recording 
customer calls from different US regions, based on the location of the company's datacenters, including Florida and 
Sacramento. Each record also contained hundreds of fields of additional data, including a customer's home address, 
email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and 
if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer's 
"frustration score," by detecting if certain keywords are spoken by a customer during a call.

< - >

http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/

_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange