Millions of Verizon customers affected by security breach

Verizon confirmed that a recent security incident exposed the personal identification numbers and other private information pertaining to millions of telecom customers.

Six million unique Verizon user accounts were affected by a data breach suffered by a third-party vendor detected last month, Verizon said Wednesday.

UpGuard, a Silicon Valley security firm that first reported the data breach, said as many as 14 million Verizon accounts may have been affected.

In a blog post published Wednesday, UpGuard said one of its researchers discovered a misconfigured internet-connected database on June 8 containing a trove of data related to Verizon users, including customers’ names, addresses and phone numbers in addition to the unique PINs used to protect the accounts.

UpGuard notified Verizon about the breach on June 13 and the data was no longer publicly available as of June 22, according to the blog post. Prior to then, however, UpGuard said the information could have easily been discovered by anyone knowing where to look.

“Anyone entering a URL in a browser would have been able to access it,” UpGuard analyst Dan O’Sullivan told The Los Angeles Times Wednesday.

The misconfigured database wasn’t managed by Verizon, according to UpGuard, but Nice Systems, an Israeli-based company that helps the telecom with customer service calls. The publicly available data specifically concerned Verizon users who called customer support between Jan. 1 and June 22., Mr. O’Sullivan said.

“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” a Verizon spokesperson told ZDNet Wednesday, referring to Amazon Web Services, a cloud computing platform commonly used to host internet-accessible databases. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

Nice attributed the mix-up to “human error” involving an “isolated staging area with limited information,” Los Angeles Times reported Wednesday.

Verizon said in a statement that the breach involved a “limited amount of personal information” that “had no external value.

Critics claim otherwise, however, and allege the information could have been used to take full control over a target’s telecom account.

“If anyone had that information they could go online and have access to your account, and your call log,” Rep. Ted Lieu, California Democrat, told ZDNet. “I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again.”

Verizon said this week that “no other external party accessed the data,” but declined to explain its reasoning when pressed further, ZDNet reported. The breach is currently under investigation, Verizon said.