The data was exposed by a Nice Systems engineer based in Israel who forgot to secure Verizon's customer data stored in the cloud
Another day, another unsecured data storage system reveals millions of customer records. This time it's Verizon customers in the US who were at risk, and the exposure is due to a misconfigured cloud-based file repository owned by Nice Systems.
According to UpGuard, who discovered the unsecured data, up to 14 million Verizon customer details were available to download by anyone who could guess a web address. Verizon has since clarified it was 6 million.
UpGuard traced the data back to a Nice Systems engineer based in the company's Ra'anana, Israel headquarters. Nice Systems provides both back-office and call center operations systems for Verizon. The Nice engineer had setup an Amazon Web Service S3 data store which was then used to log Verizon customer call data. That data included names, addresses, phone numbers, and account PIN codes. Used together, they would give a scammer everything required to pose as a Verizon customer on a call.
According to ZDNet, the data is collected from customer calls and stored by Nice Systems so that it can be analyzed to help improve the customer service experience. The log files created contain the last six months of customer call data. But why was it unsecured, and why was it the responsibility of a single engineer at Nice?
What's also worrying beyond the lack of security is the slow response by Verizon to the threat. UpGuard informed Verizon of the security risk on June 13, but it wasn't fixed until June 22.
In a press release, Verizon responded to the data exposure discovery by stating, "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."
The release goes on to state that, "The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area."
UpGuard’s Cyber Risk Team can now report that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs)of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.
(UPDATE: 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed).
The UpGuard Cyber Risk Team is a unit devoted to discovering data exposures where they exist, helping to secure them and raising awareness about the issues of cyber risk driving data insecurity across the digital landscape.
The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.—another NICE Systems partner that services customers across Europe and Africa.
Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.
Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.
NICE Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy. This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties.
On June 8th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered a cloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access. The database and its many terabytes of contents could thus be accessed simply by entering the S3 URL.
The repository’s subdomain, “verizon-sftp,” is an indication of the files’ corporate origins. Viewing the repository, there are six folders titled “Jan-2017” through “June-2017,” as well as a number of files formatted with .zip, among them “VoiceSessionFiltered.zip” and “WebMobileContainment.zip.” These files, inaccessible via .zip extraction, could be decompressed once the format was changed to .gzip, another file compression program.
The “verizon-sftp” repository.
Each month-named folder contains directories corresponding to each day of the month. Within each of these day folders are a couple dozen or so compressed files. By every indication, this is a repository for the automated daily logging of files. The folder for “June-2017” records a halt to logging on June 22nd.
The daily log folders in the “Apr-2017” folder.
Once unzipped, the contents of these daily logging folders are revealed to be sizable text files, some as large as 23 GB. Analyzing them, the general structure becomes apparent: the large text blocks appear to be composed of voice recognition log files, the records of an individual’s call to a customer support line, including fields like “TimeInQueue” and “TransferToAgent.” Pings to various subdomains of https://voiceportalfh.verizon.com further indicate the voice-activated technology producing this data.
This is not all, however. A great many Verizon account details are also included in the logs, such as customer names, addresses, and phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked.
A call log, with the most sensitive data masked.
But not all of the records have these details “masked” in this manner. For a smaller amount of these logged calls, there is no such masking at all—revealing such details as unmasked “PIN” codes. Such account PINs are a crucial part of verifying callers as legitimate customers, ensuring impersonators cannot access and change Verizon account settings. Other fields and their answers, such as “CallCenterPassword,” indicate which account-holders have requested a higher standard of security for customer service calls to change account settings, allowing any potential scammers in possession of the logs to determine which customers would be easier to victimize. In one such text file, there were six thousand such unmasked PIN codes.
A call log, with the most sensitive data exposed (here redacted by UpGuard).
Less immediately explicable is the presence in the S3 server of data originating from French telecoms provider Orange, another partner of Nice Systems and one with which Verizon competes in the European data market.
French-language data originating from Paris-based telecom Orange S.A.
While it appears this internal Orange data is less sensitive, it is noteworthy to see such information included in a repository otherwise devoted to Verizon.
The SignificanceThe critical data repository in question was exposed not by the enterprise holding primary responsibility for the information, but by a third-party vendor to the enterprise. It was a publicly accessible AWS S3 bucket owned by third-party vendor NICE Systems that revealed the sensitive personal details of Verizon customers.
To judge by much of its website copy and marketing material, NICE Systems is indeed a company that provides technology of particular use to call centers, a crucial component of the Verizon business chain. SEC filings reveal NICE Systems to call Verizon a “main partner,” providing the telecom carrier with such software as a workforce management tracker to monitor how efficiently call center operators are using their time. Other programs offered within the suite of NICE Enterprise software include data and voice analytics software, technology in which NICE has made significant investments as crucial to call center customers.
Beyond such direct business, a series of high-profile US acquisitions by the Israeli firm have given them an even closer business relationship with Verizon’s North America operations than might be immediately apparent. In 2016, NICE acquired inContact and VPI, both firms that have in the past supplied Verizon with software for its back-office and call center operations.
In short, NICE Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data. Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements. There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise.
Beyond the sensitive details of customer names, addresses, and phone numbers—all of use to scammers and direct marketers—the prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible. To do so would enable impersonators to tell Verizon call center operators to do whatever was wished of them—enabling, perhaps, costly “SIM Swap” scams of customer SIM cards, or, as reported by The Verge, the breaching of two-factor authentication:
“Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.”The prospect of a host of your applications and digital accounts being compromised from one third-party vendor’s exposure of data is not science fiction, but the unfortunate reality of cyber risk today. The data exposed in the Verizon/NICE Systems cloud leak is, indeed, a testament to how profoundly every aspect of life today is touched by those systems to which we impart so much knowledge.
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.
In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.
The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.
Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.