Millions of Verizon customer records were left exposed in a loosely secure database by an Israeli technology company, ZDNet reported.
As many as 14 million customer records gathered over the last six months from the largest telecommunications company in the United States were found on an unprotected Amazon storage server controlled by Nice Systems.
Included in the massive database which was first discovered by Chris Vickery, director of cyber risk researcher at security company UpGuard were log files of communications from Verizon customers who had called customer service.
The records included customer names, cell phone number and account PIN a security layer that if acquired could allow anyone to access the subscriber’s account.
Were an attacker to gain access to a person’s PIN, they could theoretically hijack the victim’s Verizon account and phone number.
Such a takeover would give the attacker the ability to intercept two-factor authentication messages, bypassing additional protection on the victim’s other accounts.
The database also contained hundreds of additional fields of data points for each account, including the customer’s type of subscription plan, the balance on their account, and if the customer is a member of the federal government.
Nice Systems, the company responsible for the server that housed the information, had access to the data to analyze customer service call experience.
The Israel-based company listens to the recorded service calls to help improve the customer experience and used the account records to verify caller information.
The company generates a “frustration score” for each call by detecting certain words or phrases spoken during the interactions with Verizon support staff.
Verizon was reportedly informed in late June of the database that left millions of its customer’s account details exposed.
It took over a week before the telecom giant and its partner Nice Systems finally secured the server.
“This breach once again demonstrates the fact that cloud services like [Amazon Web Services] can be secure, but it is up to organizations using them to ensure that services are configured in a secure fashion,” Rich Campagna, CEO of cloud security firm Bitglass told.
Campagna called the unprotected Verizon server a “massive data leak” that could have been avoided with the right security measures. “Companies like Verizon must put policies in place that require third-party vendors like Nice to adequately protect any customer data that touches the cloud,” he said.
The Verizon customer data is just the latest to be exposed by an unprotected server.
Earlier this month, personal information of more than three million WWE wrestling fans was left exposed online in a server, likely by a marketing company.
Even more troubling, earlier this year nearly 200 million voter registration files that could be used to identify American voters were discovered on an unsecured server.
The records were also discovered on an unprotected Amazon server, which was owned by Republican data analytics firm Deep Root Analytics.