Verizon is fighting back against claims made in a ZDNet report that there was a large breach of its customers' data, telling other media outlets that no loss or theft of customer information occurred.
Chris Vickery, director of cyber risk research at security firm UpGuard, found the data on an Amazon S3 storage server late last month. The data was open to download for anyone who found the easy-to-guess web address. "Verizon's relationship with the customer is not at risk, but the customer is now at risk in other aspects of their lives". In June, data from more than 200 million voters was exposed by a data analytics firm, and in July, 3 million users on the WWE website had their information leaked. The data also included home addresses, email address, and Verizon account balances. However, these logs were also analyzed by Nice to "realize intent, and extract and leverage insights to deliver impact in real time". The data contains the records of customers who called the Verizon's customer services in the past 6 months. Some of the records are said to be partially redacted, but most were not redacted at all. Verizon said the Israeli technology company does not collect Social Security numbers or Verizon voice recordings. In this case, it wasn't Verizon itself that is responsible for the leak, but rather a third-party company partnered with Verizon.
It's unclear if anybody stole the data from the server. This time it's Verizon customers in the U.S. who were at risk, and the exposure is due to a misconfigured cloud-based file repository owned by Nice Systems.
Nice Systems has 85 of the Fortune 100 companies as customers and has been linked to government intelligence agencies and companies that crack phones. "Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project", the company added.
When you set up an S3 account and "bucket" (the term AWS uses for file storage), AWS actually sets the default permissions for that file as private, which means whoever left the records exposed had to override that default setting. Hackers can call up Verizon and pose as the user that they are targeting using the leaked PIN code, with the goal of redirecting messages sent for two-factor authentication to their own device so that they can log into the victim's online account.