<

Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Verizon Cloud-Server Breach Puts 6M Customer Identities at Risk

Published on
4,315 Points
915 Views
4 Endorsements
Last Modified:
Experts Exchange
We connect you with people and information to solve problems, inspire learning and influence the future of technology.
A look at what happened in the Verizon cloud breach.

Yesterday, cyber resilience startup, UpGuard, issued a report that as many as 14 million U.S. Verizon customers have fallen victim to a hack that stole their names, addresses, account details, and PINs. The hack has been identified as a “misconfigured cloud-based file repository,” meaning customer information was moved to a publicly-accessible bucket with a third-party cloud provider.


In reply to this report and the following media frenzy, Verizon spokesman David Samberg issued a statement saying no loss or theft of customer information has occurred, and the lack of security only increased the risk of a hack. He also clarified that their reports show only 6 million customers and their PINs are at risk.


The Amazon S3 storage server housing Verizon’s information was controlled by Nice Systems, a company based in Ra’anana, Israel. Reports have specified that a single employee of Nice did not safeguard access to this information and, instead, left the data available for download by anyone who could find the web address.


UpGuard stated in their report that they notified Verizon on June 13th of this vulnerability. According to ZDnet’s report, it took more than a week for the information in question to be protected and safeguarded.


The customers at risk include anyone who called Verizon customer service within the last six months. When Verizon customers call in, they’re asked to provide their name, phone number, and PIN to access their account and verify their identity in order to proceed with the call. Like most customer service lines, Verizon’s are typically recorded and stored for later data analysis, training, feedback evaluation, and call volume reports. While some customer PINs were showing up as “masked” in UpGuard’s files, not all of Verizon's files had properly masked this information.


This hack comes at an interesting time in data and information security. With the most recent cyber attacks following the ransomware model (such as Petya and WannaCry), many security experts have been focused on identifying new strains of ransomware and ways to combat their progression. Due to these emergent situations affecting both companies and individual users, it’s safe to say the tech world’s focus has been diverted, possibly forgetting for a moment about the havoc that can occur when third-party providers do not protect client data access.


Unlike the AWS S3 outage that occurred in March, which brought up discussions of data diversification and replication in the cloud, this Verizon data breach in the cloud sheds light on the often undiscussed risk of allowing third-party institutions access to private client information. There are many sayings along the lines of, “It only takes one apple to spoil the bunch”. In this case, it only took one employee to expose more than 6 million customer identities.


Take Action: How to Protect Your Customer Data


Even though Verizon insists user information is safe now that the open access point has been mitigated, experts recommend users change log-in credentials to Verizon accounts as soon as possible.


Best practices for changing PIN numbers typically apply to credit and debit card users, with recommendations like not using numbers that have to do with easy-to-access personal information such as birthdays and addresses. Most experts urge users to make a change if they believe their card PIN has been compromised, if someone has seen them enter the PIN, if they’re using the same PIN given by the card company, or if the PIN has been duplicated by the user and used across multiple cards or accounts.


The same practices can—and should—be followed with password PINs for customer log ins and online sites.


Many users may fall into the trap of using the same PIN or password for these consumer accounts in order to easily recall the information when asked by a customer service rep, or to log into their account when on the go. For obvious reasons, most experts warn against this practice—even with two-step authentication processes—because repetitive PINs and passwords only make it easier for hackers to gain access to various accounts. When changing PINs and passwords, also be sure to put some thought behind the new digits so you don’t fall back on the easily hacked PINs, like 1111.


Adelaido Jimenez, a member of the DevOps team at Experts Exchange, recommends changing your account password and PIN if you ever feel it’s been compromised.


“I would recommend changing your PIN immediately after any leaks like this one. While it’s hard to say exactly how often you should change passwords and PINs, I personally change my PINs every four months, unless I feel it has been compromised and then I’ll change it sooner,” he said.


For more information on the importance of protecting your passwords, check out these great community articles.

4
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 17

Expert Comment

by:Kyle Santos
I was able to do this easily last night by logging into my Verizon account online and going to settings to change the PIN.  I didn't even have to call customer service.
1

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month