Security TV: Can cyber insurance bring standards to security?
An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned.
As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra'anana, Israel-based company.
The data was downloadable by anyone with the easy-to-guess web address.
Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice's 2016 revenue was $1.01 billion, up from $926.9 million in the previous year. The financial services sector is Nice's biggest industry in terms of customers, with telecom companies such as Verizon a key vertical. The company has more than 25,000 customers in about 150 countries.
Privacy watchdogs have linked the company to several government intelligence agencies, and it's known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite. In regulatory filings with the Securities and Exchange Commission, Nice noted that it can't control what customers do with its software. "Our products may also be intentionally misused or abused by clients who use our products," said Nice in its annual report.
Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June.
It took over a week before the data was eventually secured.
The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service. These interactions are recorded, obtained, and analyzed by Nice, which says it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon uses that data to verify account holders and to improve customer service.
Each record included a customer's name, a cell phone number, and their account PIN -- which if obtained would grant anyone access to a subscriber's account, according to a Verizon call center representative, who spoke on the condition of anonymity as they were not authorized to speak to the press.
Several security experts briefed on the exposure prior to publication warned of phone hijacking and account takeovers, which could allow hackers to break into a person's email and social media accounts protected even by two-factor authentication.
Verizon has over 108 million post-paid wireless customers.
Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company's datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer's home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer's "frustration score," by detecting if certain keywords are spoken by a customer during a call.
Although the logs referenced customer voice recordings, there were no audio files found on the server.
Some of the records were "masked" in what appears to be a redaction effort to prevent an unauthorized disclosure of private information. But most of the customer records are in part or entirely visible.
Ted Lieu, a Democratic congressman and computer science major, said the exposure was "highly troubling."
"I'm going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn't happen again," he told ZDNet.
Lieu, also a Verizon customer, said: "I would like to know if my data was breached."
Verizon said it was investigating how its customer data was improperly stored on the Amazon Web Services (AWS) server as "part of an authorized and ongoing project" to improve its customer service.
"Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project," said a spokesperson. "Unfortunately, the vendor's employee incorrectly set their AWS storage to allow external access."
One account from a senior Verizon employee with knowledge of the situation said that the company was unaware that the data was being exfiltrated or exported, and Verizon had no control over the server.
The phone giant said that the "overwhelming majority of information in the data set has no external value."
"There is some personal information in the data set," said the spokesperson, "but as indicated earlier, there is no indication that the information has been compromised."
Verizon also would not say how it "masked" data, citing security concerns.
Nice said it too was investigating the exposure. A spokesperson said that none of its systems or products were breached and "no other Nice customer data was involved."
Vickery said, however, that there was evidence that data from Orange, a European telecoms provider was for a time also stored on the exposed server, according to Vickery, suggesting the data exposure may not be limited to Verizon. (Orange did not respond to a request for comment.)
A Nice spokesperson later said that the data was "part of a demo system," and did not comment further.
It remains unclear who else at Nice had access to the server, or if the data was downloaded by anyone else.
Verizon said that it had requested information on who had access to the storage. A spokesperson said Monday that an investigation determined "no other external party accessed the data." When pressed, the company would not say how it came to that conclusion.