Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.
Yesterday, cyber resilience startup, UpGuard, issued a report that as many as 14 million U.S. Verizon customers have fallen victim to a hack that stole their names, addresses, account details, and PINs. The hack has been identified as a “misconfigured cloud-based file repository,” meaning customer information was moved to a publicly-accessible bucket with a third-party cloud provider.
In reply to this report and the following media frenzy, Verizon spokesman David Samberg issued a statement saying no loss or theft of customer information has occurred, and the lack of security only increased the risk of a hack. He also clarified that their reports show only 6 million customers and their PINs are at risk.
The Amazon S3 storage server housing Verizon’s information was controlled by Nice Systems, a company based in Ra’anana, Israel. Reports have specified that a single employee of Nice did not safeguard access to this information and, instead, left the data available for download by anyone who could find the web address.
UpGuard stated in their report that they notified Verizon on June 13th of this vulnerability. According to ZDnet’s report, it took more than a week for the information in question to be protected and safeguarded.
The customers at risk include anyone who called Verizon customer service within the last six months. When Verizon customers call in, they’re asked to provide their name, phone number, and PIN to access their account and verify their identity in order to proceed with the call. Like most customer service lines, Verizon’s are typically recorded and stored for later data analysis, training, feedback evaluation, and call volume reports. While some customer PINs were showing up as “masked” in UpGuard’s files, not all of Verizon's files had properly masked this information.
This hack comes at an interesting time in data and information security. With the most recent cyber attacks following the ransomware model (such as Petya and WannaCry), many security experts have been focused on identifying new strains of ransomware and ways to combat their progression. Due to these emergent situations affecting both companies and individual users, it’s safe to say the tech world’s focus has been diverted, possibly forgetting for a moment about the havoc that can occur when third-party providers do not protect client data access.
Unlike the AWS S3 outage that occurred in March, which brought up discussions of data diversification and replication in the cloud, this Verizon data breach in the cloud sheds light on the often undiscussed risk of allowing third-party institutions access to private client information. There are many sayings along the lines of, “It only takes one apple to spoil the bunch”. In this case, it only took one employee to expose more than 6 million customer identities.
Take Action: How to Protect Your Customer Data
Even though Verizon insists user information is safe now that the open access point has been mitigated, experts recommend users change log-in credentials to Verizon accounts as soon as possible.
Best practices for changing PIN numbers typically apply to credit and debit card users, with recommendations like not using numbers that have to do with easy-to-access personal information such as birthdays and addresses. Most experts urge users to make a change if they believe their card PIN has been compromised, if someone has seen them enter the PIN, if they’re using the same PIN given by the card company, or if the PIN has been duplicated by the user and used across multiple cards or accounts.
The same practices can—and should—be followed with password PINs for customer log ins and online sites.
Many users may fall into the trap of using the same PIN or password for these consumer accounts in order to easily recall the information when asked by a customer service rep, or to log into their account when on the go. For obvious reasons, most experts warn against this practice—even with two-step authentication processes—because repetitive PINs and passwords only make it easier for hackers to gain access to various accounts. When changing PINs and passwords, also be sure to put some thought behind the new digits so you don’t fall back on the easily hacked PINs, like 1111.
Adelaido Jimenez, a member of the DevOps team at Experts Exchange, recommends changing your account password and PIN if you ever feel it’s been compromised.
“I would recommend changing your PIN immediately after any leaks like this one. While it’s hard to say exactly how often you should change passwords and PINs, I personally change my PINs every four months, unless I feel it has been compromised and then I’ll change it sooner,” he said.