Verizon Downplays Impact Of Customer Data Exposure

A recent ZDNet report said that Nice Systems, an Israeli surveillance company and Verizon partners, exposed the account information of 14 million of the wireless network's customers. Verizon has now responded to the report, saying there was no theft or loss of customer information.

How The Data Was Exposed

According to Verizon, a Nice Systems employee put information about some of its customers on an Amazon S3 storage server, that allowed external access. The data could have been downloaded by anyone who had access to that public S3 address. However, Verizon said that this was done in error and wasn’t intentional.

According to Privacy International, Nice Systems is one of the largest Israeli providers of surveillance solutions, and it has ties to intelligence agencies from multiple countries. The company has also worked with notorious surveillance providers such as Hacking Team and Cellebrite.

The exposed records included information such as names, addresses, phone numbers, and account verification PINs. If these were mobile phone numbers, they could have allowed potential attackers access to customers’ Verizon accounts. This could have then further given the attackers access to online services that were protected by SMS-based two-factor authentication. Once the attackers could be identified as “customers” of Verizon, they could transfer the phone numbers to different phones and then receive the SMS tokens.

The data found on the server included six folders with with customer records that also referenced that some of the customers’ calls were being recorded and given a “frustration score.” However, the referenced recordings were not found on the Amazon server.

According to ZDNet's report, Verizon also had no prior knowledge that all of this data was exported by Nice Systems, which makes the whole situation even more concerning.

Whether or not Verizon gave Nice Systems access to these records, it’s also concerning that the records were not encrypted in the first place. If the account PINs are not encrypted, then blunders such as exposing customer databases to the public internet aren't even necessary to expose customer information, if potential attackers could also hack into their systems and steal that non-encrypted information.

Verizon’s Response

Verizon seems to be denying that Nice ystems didn’t first obtain approval from the company for using its customers data this way. The wireless company said that Nice was helping it with a call center portal and Nice required the data for the project.

Verizon stated the following:

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

Verizon also clarified that the majority of phone numbers on the Amazon server were for the wireline portal, and only some were mobile phone numbers. The company also said that the PINs were only used to authenticate customers calling to the wireline call center, but they could not provide online access to customer accounts. Verizon also noted that only 6 million accounts were exposed, as opposed to the 14 million reported by ZDNet.

Verizon apologized for the incident, but Representative Ted Lieu has already called for a Congressional hearing to find out more about what exactly happened. Verizon has been one of the wireless providers fighting FCC’s recently overturned privacy rules that would’ve put a bigger responsibility on ISPs and carriers to protect their customers information.

Under the overturned FCC privacy framework, the carrier would not have been able to obtain some of that information, if the information wasn’t strictly necessary to provide its services. However, with these rules overturned, ISPs and carriers are now much more free to not only collect more customer information, but also to share it with their partners, and as it seems, often in cleartext form.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hellwig
    I'm glad you state this:

    "If these were mobile phone numbers, they could have allowed potential attackers access to customers’ Verizon accounts. This could have then further given the attackers access to online services that were protected by SMS-based two-factor authentication. Once the attackers could be identified as “customers” of Verizon, they could transfer the phone numbers to different phones and then receive the SMS tokens."

    Because there was another story recently where someone was able to do exactly this, even without the PIN included in this leak. Human error was at fault there (apparently some operator felt sorry for the scammer) but if you have than PIN, that's the only thing that tells Verizon you are who you are. In that case, the lesson was do not tie a bank account to your PayPal account.

    In this case, it appears to be Don't Trust Verizon, they will lie about the severity of the leak.
    Reply
  • 10tacle
    I left Verizon earlier this year after being a six year customer (moving from AT&T). The final straw was them removing customer discounts for working for a vendor of theirs (mine was 20% which was big for an $80+ monthly bill). A friend of mine worked for them for years as a back end security programmer and he left due to incompetent and arrogant vertical management. They never listened to anyone. And now we have this. Idiots.
    Reply