Another day, another unsecured data storage system reveals millions of customer records. This time it’s Verizon customers in the US who were at risk, and the exposure is due to a misconfigured cloud-based file repository owned by Nice Systems.
According to UpGuard, who discovered the unsecured data, up to 14 million Verizon customer details were available to download by anyone who could guess a web address. Verizon has since clarified it was 6 million.
UpGuard traced the data back to a Nice Systems engineer based in the company’s Ra’anana, Israel headquarters. Nice Systems provides both back-office and call center operations systems for Verizon. The Nice engineer had setup an Amazon Web Service S3 data store which was then used to log Verizon customer call data. That data included names, addresses, phone numbers, and account PIN codes. Used together, they would give a scammer everything required to pose as a Verizon customer on a call.
According to ZDNet, the data is collected from customer calls and stored by Nice Systems so that it can be analyzed to help improve the customer service experience. The log files created contain the last six months of customer call data. But why was it unsecured, and why was it the responsibility of a single engineer at Nice?
What’s also worrying beyond the lack of security is the slow response by Verizon to the threat. UpGuard informed Verizon of the security risk on June 13, but it wasn’t fixed until June 22.