[BreachExchange] Millions of Verizon customer records exposed in security lapse

[Richard Forno]

Millions of Verizon customer records exposed in security lapse

Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed.
 
By Zack Whittaker for Zero Day | July 12, 2017 -- 13:00 GMT (06:00 PDT) | Topic: Security

An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned.

As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company.

Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key  vertical. The company has more than 25,000 customers in about 150 countries.

Privacy watchdogs have linked the company to several government intelligence agencies, and it's known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite. In regulatory filings with the Securities and Exchange Commission, Nice noted that it can't control what customers do with its software. "Our products may also be intentionally misused or abused by clients who use our products," said Nice in its annual report.

Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June.

It took over a week before the data was eventually secured.

The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service.

Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.

Several security experts briefed on the exposure prior to publication warned of phone hijacking and account takeovers, which could allow hackers to break into a person's email and social media accounts protected even by two-factor authentication.

Verizon has over 108 million post-paid wireless customers.

Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company's datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer's home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer's "frustration score," by detecting if certain keywords are spoken by a customer during a call.

< - >

http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/