14 million Verizon subscribers' details leak from crappily configured AWS S3 data store

US telco giant insists only infosec bods saw the info

Updated Another day, another leaky Amazon S3 bucket. This time, one that exposed account records for roughly 14 million Verizon customers to anyone online curious enough to find it.

The cloud-hosted repository, ironically owned by Israeli-based software security vendor NICE, contained terabytes of Verizon customer names, addresses, and account information – along with plenty of PINs, although the large majority of those were hashed.

The files, found in folders labeled "Jan-2017" to "June-2017," include ZIP files containing as much as 23GB of text data apiece when extracted, and they looked like voice recognition log files from customer calls. In addition to personal information, the data showed the callers’ customer satisfaction levels (including “FrustrationLevel” –hope they had a large number range) and whether they had fiber on order.

The poorly secured data store was found by Chris Vickery’s virtuous vigilantes at UpGuard, who have made a habit of scouring Amazon buckets for interesting data. On June 8, they found the data in an open Amazon Simple Storage Service (S3) bucket with a subdomain “verizon-sftp,” and figured it was worth a look. They immediately got in contact with those concerned.

“This exposure is a potent example of the risks of third-party vendors handling sensitive data,” UpGuard said today. “The long duration of time between the initial June 13 notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22, is troubling.”

Verizon was quick to put out a statement claiming there was nothing to see here. The US telco said that, other than the researcher and the developer working on the data, no one else had found it and there had been no theft.

“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area,” it said.

Verizon also disputed the exact number of customers involved in the case, and said any PINs found were used “to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts.”

The bucket also had a separate section covering another NICE partner, European telco Orange. UpGuard found French-language text files of “internal data” in a separate directory, but it doesn’t appear to have been useful.

NICE hasn’t responded to requests for comment on the matter, but it’s a definite black eye for a biz that touts its credentials as a data security handler – albeit one with some slightly dodgy customers. The firm was cited by Privacy International for helping to build a network surveillance system for the Colombian government, until the Attorney General killed the project over legal concerns. ®

Updated to add

NICE got back to us with the following statement:

Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.

This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.

Similar topics

Narrower topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022