Updated Another day, another leaky Amazon S3 bucket. This time, one that exposed account records for roughly 14 million Verizon customers to anyone online curious enough to find it.
The cloud-hosted repository, ironically owned by Israeli-based software security vendor NICE, contained terabytes of Verizon customer names, addresses, and account information – along with plenty of PINs, although the large majority of those were hashed.
The files, found in folders labeled "Jan-2017" to "June-2017," include ZIP files containing as much as 23GB of text data apiece when extracted, and they looked like voice recognition log files from customer calls. In addition to personal information, the data showed the callers’ customer satisfaction levels (including “FrustrationLevel” –hope they had a large number range) and whether they had fiber on order.
The poorly secured data store was found by Chris Vickery’s virtuous vigilantes at UpGuard, who have made a habit of scouring Amazon buckets for interesting data. On June 8, they found the data in an open Amazon Simple Storage Service (S3) bucket with a subdomain “verizon-sftp,” and figured it was worth a look. They immediately got in contact with those concerned.
“This exposure is a potent example of the risks of third-party vendors handling sensitive data,” UpGuard said today. “The long duration of time between the initial June 13 notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22, is troubling.”
Verizon was quick to put out a statement claiming there was nothing to see here. The US telco said that, other than the researcher and the developer working on the data, no one else had found it and there had been no theft.
“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area,” it said.
Verizon also disputed the exact number of customers involved in the case, and said any PINs found were used “to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts.”
The bucket also had a separate section covering another NICE partner, European telco Orange. UpGuard found French-language text files of “internal data” in a separate directory, but it doesn’t appear to have been useful.
NICE hasn’t responded to requests for comment on the matter, but it’s a definite black eye for a biz that touts its credentials as a data security handler – albeit one with some slightly dodgy customers. The firm was cited by Privacy International for helping to build a network surveillance system for the Colombian government, until the Attorney General killed the project over legal concerns. ®
Updated to add
NICE got back to us with the following statement:
Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business.
This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.