Security Flaw Exposes Millions of Verizon Customers’ Information

The personal data of as many as 14 million Verizon Wireless customers was recently discovered on an unprotected Amazon Web Services (AWS) server operated by Nice Systems, a Ra’anana, Isreal-based software company, according to ZDNet.

Nice, whose overall revenue in 2016 topped $1.01 billion, is a software analytics firm that counts 85 of Fortune’s Top 100 companies as customers, and primarily works in two key factions of the enterprise software market: customer engagement and financial crime & compliance. Overall, the company serves upwards of 25,000 clients in over 150 countries, including several government agencies and major financial services entities including telecom-giants like Verizon.

The data, which included call records of Verizon subscribers who phoned into the company’s customer service department between January and June, 2017, was discovered in late-June by Chris Vickery — director of cyber risk research with security firm UpGuard, who privately informed Big Red of the data shortly after its discovery. While the data was ultimately secured within the week that followed, during the time it was unsecured was easily downloadable by anyone who could guess the server’s web address.

“Our products may also be intentionally misused or abused by clients who use our products,” Nice said during its recent annual report.

What Data Was Obtained?

Records stored on the unsecured server included automatically-generated call logs containing information such as the customer’s name, cellular phone number, and account PIN. According to a Verizon call center representative who spoke to ZDNet on condition of anonymity, this information, if breached, could grant unauthorized users access to a subscriber’s account.

Whenever a Verizon subscriber calls into customer service, the interactions are recorded, transmitted, and analyzed by Nice Systems, which says it can “realize intent, and extract and leverage insights to deliver impact in real time” to help the company improve the quality of its customer service. Records spanning from January to June also contained “hundreds of fields of additional data,” including home and email addresses, additional Verizon services a customer is signed up for, and their account balance — just to name a few. Interestingly, the records also included each customer’s “frustration score,” which is determined based on whether they spoke certain keywords during their call.

While logs referenced “customer voice recordings,” ZDNet was able to confirm there were in fact no audio files discovered on the unsecured server — but for the most part, key customer data was still visible in written form.

Democratic Congressman Ted Lieu (D-CA), who’s both a Computer Science major and a Verizon Wireless subscriber, himself, described the exposure as “highly troubling.”

“I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again,” he told ZDNet.

Meanwhile, a Verizon spokesperson said the company is currently investigating how its customer data was improperly stored on the AWS server, as part of its “ongoing project” to improve customer service. “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” the spokesperson said, while adding that “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

The silver lining in all of this, according to Verizon, is that the “overwhelming majority” of information stored on the server has “no external value.” “There is some personal information in the data set,” the spokesperson said, “but as indicated earlier, there is no indication that the information has been compromised.”

On Monday, Verizon followed-up claiming that an investigation determined “no other external party accessed the data.” However, when pressed for additional details, the company wouldn’t say how it came to that conclusion, citing security concerns.

A friendly word to the wise: if you’ve personally called into Verizon customer service at some point this year, you might want to change your account PIN just in case.