Chris Vickery, director of cyber risk research at UpGuard, has discovered more sensitive information exposed on an unprotected “bucket” on an Amazon AWS server. This time it includes – among other things – the names, phone numbers, and account PINs of some 14 million Verizon customers.
The information was used and should have been secured by Nice Systems, an Israel-based company that has been contracted by Verizon to improve its customer service.
“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” a Verizon spokesperson told ZDNet. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”
While Verizon and Nice Systems are attempting to minimize the impact of the revelation, and are claiming that there is no indication that anyone else beside Vickery stumbled upon the data and exfiltrated it, information security experts are pointing out that attackers could easily hijack user accounts with the aforementioned data set.
What’s even worse: in this age of two-factor authentication schemes relying on SMS, losing control of one’s cell phone account could lead to a lot of problems and monetary loss.
With attackers being able to take over a target’s mobile phone account, they can receive the authentication codes sent by email services, social networks, online payment companies, and banks.
As former FTC chief technologist Lorrie Cranor told ZDNet, “in the best case it is a hassle: you phone stops working and it requires several phone calls to customer service and the fraud department and a trip or two or three to the phone store to get everything sorted out.”
The worst case scenario is the successive hijacking of many of your other accounts, and theft of funds where possible, e.g. bank account, PayPal account, and so on.
“The exposure of highly sensitive information via misconfigurations in public cloud services such as Amazon S3 are becoming far too frequent and the world is taking note. It has become abundantly clear that many users still do not fully understand how to configure S3 buckets to prevent data exposure,” says Dome9 CEO Zohar Alon.
“These examples put an exclamation point on the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, it no longer takes an elaborate attack to damage an organizations reputation. Damaging leaks and breaches such as this will continue to rise until there is more of an emphasis on training and technology to address these very basic process failures.”