Verizon is in the process of notifying customers of its Enterprise Solutions division that their data has been breached.
The news comes a few days after a treasure trove of information on 1.5 million Verizon Enterprise customers reportedly made its way onto an underground cybercrime forum, according to KrebsonSecurity.com, which broke the news on Thursday.
The seller is apparently offering the information at a hefty cost; selling chunks of 100,000 records for $10,000, or the entire database for $100,000. Those interested can reportedly even purchase information about security vulnerabilities in Verizon’s site.
Verizon said it fixed the vulnerability that led to the breach and is stressing that only basic contact information, such as names and email addresses, on customers has been exposed.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in a statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information or other data was accessed or accessible.”
According to Krebs, the person selling the data is offering it in multiple formats, including MongoDB, something that’s led to speculation over whether or not MongoDB, a cross-platform document database, was hijacked in the process.
Verizon’s Enterprise Solutions is a B2B arm of the company that helps manage its government and business clients, a list that includes 97 percent of the Fortune 500, according to its site. The company actually releases an annual report each April – the Data Breach Investigations Report (DBIR) – that usually chronicles threat patterns from year to year.
Needless to say, while the irony around the breach has not been lost on experts, some are still wondering how the company could have been penetrated.
Details are scant around how exactly Verizon was breached but Deral Heiland, Research Lead with Rapid7, is surmising that since the attackers are selling information about the vulnerabilities, it may have been a SQL, or other type of injection vulnerability.
“If MongoDB was being used, this is known as a “NoSQL” database and traditional SQL injection attacks will not work, although NoSQL databases are still subject to injection attacks, which can be leveraged to extract data from the MongoDB,” Heiland said Friday.
Others, like John Prisco, CEO of the endpoint security firm Triumfant, have gone for the jugular.
“Ask yourself why the company that writes the annual DBIR has itself been breached? The answer is that the cyber companies receiving billions of dollars of funding are spending it on drive-time radio and other marketing hype; not enough on software development,” Prisco said, “It requires more than just the usual superficial understanding of one’s adversary to create an analytic cyber product capable of keeping up with the bad guys.”