As many as 14 million U.S.-based Verizon customers have had their data exposed by a partner of the telecommunications giant, which misconfigured a repository storing the personal information it had access to.
UpGuard director of cyber risk research Chris Vickery, who has made a living of finding millions of leaked credentials and personal data online, privately disclosed the leak to Verizon on June 8. Terabytes of customer data was found in an Amazon S3 repository and publicly accessible by just knowing the right URL.
Verizon, in a statement Wednesday, said the number has been overstated and that it’s closer to six million unique customer records.
The third party, NICE Systems, is an Israel-based company that provides surveillance technology to nation-states, along with voice analytics, data security and other call center and financial crime/fraud services. The insecure S3 repository was managed by an engineer at the company’s headquarters and was created to log customer call data “for unknown purposes,” UpGuard said in a disclosure published today. NICE also has a relationship with French telco Orange SA, according to text files stored on the server, UpGuard said.
The leaked data included customer names, addresses, account details and PINs which are used to verify customers to call center agents. NICE Systems tempered initial reports, blaming the incident on human error.
“Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that NICE divested several years ago and no longer has anything to do with our business,” a NICE systems representative said. “This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.”
Verizon said in its statement that no data has been accessed because of the exposure.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention,” Verizon said. “In other words, there has been no loss or theft of Verizon or Verizon customer information.”
Verizon said NICE Systems was hired to improve a call center portal, and required the data in question. Verizon said the majority of data had “no external value,” and added there were no Social Security numbers or voice recordings among the data. As for the inclusion of the PIN codes in the data, Verizon said they were used to authenticate customers calling its wireline call center, and those codes do not provide online access to customer account.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication,” UpGuard said.
Adding more angst the equation is the fact that the data remained exposed for nine days after UpGuard’s private disclosure.
“This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties,” UpGuard said.
Vickery, UpGuard said, found six folders titled “Jan-2017” through “June-2017” containing the customer data, and .zip files called “VoiceSessionFiltered” and “WebMobileContainment.” The monthly folders contained a directory for each day of the month, which UpGuard believes is an archive of automated logging of files. From the UpGuard report:
“Once unzipped, the contents of these daily logging folders are revealed to be sizable text files, some as large as 23 GB. Analyzing them, the general structure becomes apparent: the large text blocks appear to be composed of voice recognition log files, the records of an individual’s call to a customer support line, including fields like “TimeInQueue” and “TransferToAgent.” Pings to various subdomains of https://voiceportalfh.verizon.com further indicate the voice-activated technology producing this data.
“This is not all, however. A great many Verizon account details are also included in the logs, such as customer names, addresses, and phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked.”
A number of the logged calls, however, are unmasked, UpGuard said, leaving customers and accounts exposed to attackers impersonating customers. For example, UpGuard said it found 6,000 unmasked PINs in one file.
Congressman Ted Lieu (D-Calif.) told ZDNet he would ask a Judiciary Committee to investigate.
“I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again,” Lieu said.
NICE may have been a call center service provider to Verizon, and UpGuard notes that SEC filings label NICE a “main partner” of Verizon’s in particular around call center efficiency analysis. The Israeli company has also made a number of recent call center acquisitions lending more credence to its relationship with Verizon.
“The prospect of a host of your applications and digital accounts being compromised from one third-party vendor’s exposure of data is not science fiction, but the unfortunate reality of cyber risk today,” UpGuard said. “The data exposed in the Verizon/NICE Systems cloud leak is, indeed, a testament to how profoundly every aspect of life today is touched by those systems to which we impart so much knowledge.”
This article was updated July 13 with a comment from NICE Systems.