BreachExchange mailing list archives
Millions of Verizon customer records exposed in security lapse
From: Richard Forno <rforno () infowarrior org>
Date: Wed, 12 Jul 2017 15:49:01 -0400
Millions of Verizon customer records exposed in security lapse Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed. By Zack Whittaker for Zero Day | July 12, 2017 -- 13:00 GMT (06:00 PDT) | Topic: Security An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned. As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company. Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries. Privacy watchdogs have linked the company to several government intelligence agencies, and it's known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite. In regulatory filings with the Securities and Exchange Commission, Nice noted that it can't control what customers do with its software. "Our products may also be intentionally misused or abused by clients who use our products," said Nice in its annual report. Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June. It took over a week before the data was eventually secured. The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service. Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press. Several security experts briefed on the exposure prior to publication warned of phone hijacking and account takeovers, which could allow hackers to break into a person's email and social media accounts protected even by two-factor authentication. Verizon has over 108 million post-paid wireless customers. Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company's datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer's home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer's "frustration score," by detecting if certain keywords are spoken by a customer during a call. < - > http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/ _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Millions of Verizon customer records exposed in security lapse Richard Forno (Jul 13)