As many as 14 million U.S.-based Verizon customers have had their data exposed by a partner of the telecommunications giant, which misconfigured a repository storing the personal information it had access to.
UpGuard director of cyber risk research Chris Vickery, who has made a living of finding millions of leaked credentials and personal data online, privately disclosed the leak to Verizon on June 8. Terabytes of customer data was found in an Amazon S3 repository and publicly accessible by just knowing the right URL.
The third party, NICE Systems, is an Israel-based company that provides surveillance technology to nation-states, along with voice analytics, data security and other call center and financial crime/fraud services. The insecure S3 repository was managed by an engineer at the company’s headquarters and was created to log customer call data “for unknown purposes,” UpGuard said in a disclosure published today. NICE also has a relationship with French telco Orange SA, according to text files stored on the server, UpGuard said.
The leaked data included customer names, addresses, account details and PINs which are used to verify customers to call center agents. A request for comment from Verizon and NICE Systems was not returned in time for publication.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication,” UpGuard said.
Adding more angst the equation is the fact that the data remained exposed for nine days after UpGuard’s private disclosure.
“This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties,” UpGuard said.
Vickery, UpGuard said, found six folders titled “Jan-2017” through “June-2017” containing the customer data, and .zip files called “VoiceSessionFiltered” and “WebMobileContainment.”
The monthly folders contained a directory for each day of the month, which UpGuard believes is an archive of automated logging of files. From the UpGuard report:
“Once unzipped, the contents of these daily logging folders are revealed to be sizable text files, some as large as 23 GB. Analyzing them, the general structure becomes apparent: the large text blocks appear to be composed of voice recognition log files, the records of an individual’s call to a customer support line, including fields like “TimeInQueue” and “TransferToAgent.” Pings to various subdomains of http://vz.to/2uSp6p1 further indicate the voice-activated technology producing this data.
“This is not all, however. A great many Verizon account details are also included in the logs, such as customer names, addresses, and phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked.”
A number of the logged calls, however, are unmasked, UpGuard said, leaving customers and accounts exposed to attackers impersonating customers. For example, UpGuard said it found 6,000 unmasked PINs in one file.
Congressman Ted Lieu (D-Calif.) told ZDNet he would ask a Judiciary Committee to investigate.
“I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again,” Lieu said.
NICE may have been a call center service provider to Verizon, and UpGuard notes that SEC filings label NICE a “main partner” of Verizon’s in particular around call center efficiency analysis. The Israeli company has also made a number of recent call center acquisitions lending more credence to its relationship with Verizon.
“The prospect of a host of your applications and digital accounts being compromised from one third-party vendor’s exposure of data is not science fiction, but the unfortunate reality of cyber risk today,” UpGuard said. “The data exposed in the Verizon/NICE Systems cloud leak is, indeed, a testament to how profoundly every aspect of life today is touched by those systems to which we impart so much knowledge.”