An organization is only as secure as its most vulnerable partner, which is a lesson Verizon is learning the hard way this week as 14 million records belonging to its subscribers were found on an unprotected Amazon S3 storage server managed by Israeli software company Nice Systems.
The customer records include a customer’s name, cell phone number, and their account pin, which could be used to grant access to a subscriber’s account, according to a report by ZDNet. Verizon said there is no evidence that the information in the data set had been compromised.
UpGuard researcher Chris Vickery found the data and told Verizon of the exposure at the end of June. It took over a week before the data was secured. Last month, UpGuard discovered exposed personal information belonging to more than 198 million registered U.S. voters stored in an Amazon S3 bucket belonging to data firm Deep Root Analytics.
The records also included data such as a customer’s home address, email address, their account balance, and if a subscriber has a Verizon federal government account, among other data. There were no audio files found on the server.
The data was contained in log files that generated over the last six months as Verizon customers called customer service. Nice stores the records to analyze “intent, and extract and leverage to deliver impact in real time” which allows Verizon to improve customer service.
A Verizon spokesperson told ZDNet that the company had provided the vendor with “certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”
Nice has remained quiet on the issue, noting that the data was part of a “demo system” and that no other Nice customer has been impacted. The company said it will continue to investigate the exposure as Verizon does the same.