How The Data Was Exposed
According to Verizon, a Nice Systems employee put information about some of its customers on an Amazon S3 storage server, that allowed external access. The data could have been downloaded by anyone who had access to that public S3 address. However, Verizon said that this was done in error and wasn’t intentional.
According to Privacy International, Nice Systems is one of the largest Israeli providers of surveillance solutions, and it has ties to intelligence agencies from multiple countries. The company has also worked with notorious surveillance providers such as Hacking Team and Cellebrite.
The exposed records included information such as names, addresses, phone numbers, and account verification PINs. If these were mobile phone numbers, they could have allowed potential attackers access to customers’ Verizon accounts. This could have then further given the attackers access to online services that were protected by SMS-based two-factor authentication. Once the attackers could be identified as “customers” of Verizon, they could transfer the phone numbers to different phones and then receive the SMS tokens.
The data found on the server included six folders with with customer records that also referenced that some of the customers’ calls were being recorded and given a “frustration score.” However, the referenced recordings were not found on the Amazon server.
According to ZDNet’s report, Verizon also had no prior knowledge that all of this data was exported by Nice Systems, which makes the whole situation even more concerning.
Whether or not Verizon gave Nice Systems access to these records, it’s also concerning that the records were not encrypted in the first place. If the account PINs are not encrypted, then blunders such as exposing customer databases to the public internet aren’t even necessary to expose customer information, if potential attackers could also hack into their systems and steal that non-encrypted information.
Verizon seems to be denying that Nice ystems didn’t first obtain approval from the company for using its customers data this way. The wireless company said that Nice was helping it with a call center portal and Nice required the data for the project.
Verizon stated the following:
By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.
Verizon also clarified that the majority of phone numbers on the Amazon server were for the wireline portal, and only some were mobile phone numbers. The company also said that the PINs were only used to authenticate customers calling to the wireline call center, but they could not provide online access to customer accounts. Verizon also noted that only 6 million accounts were exposed, as opposed to the 14 million reported by ZDNet.
Verizon apologized for the incident, but Representative Ted Lieu has already called for a Congressional hearing to find out more about what exactly happened. Verizon has been one of the wireless providers fighting FCC’s recently overturned privacy rules that would’ve put a bigger responsibility on ISPs and carriers to protect their customers information.
Under the overturned FCC privacy framework, the carrier would not have been able to obtain some of that information, if the information wasn’t strictly necessary to provide its services. However, with these rules overturned, ISPs and carriers are now much more free to not only collect more customer information, but also to share it with their partners, and as it seems, often in cleartext form.