What is the Latest Verizon Breach All About?
Cloud security is in the news again, and for the wrong reasons. A badly-configured cloud storage database exposed the information of more than 14 million U.S customers. This breach was first identified on June 8th by a Upguard Cyber Risk Analyst, and it took Verizon a week to fix this leak.
So, what really happened?
Personal details of 14 million Verizon customers was stored in an unprotected Amazon S3 server that was managed by an Israel-based company called NICE. In fact, NICE handles the back-office and call center operations for Verizon. This means, any customer who has called the call center over the last six months is a part of the breach.
The data that was exposed includes the name, address, phone numbers and zip codes of customers. Any scammer who has access to this information can call the call center, pose as customers by giving the right answers to personal questions and can tamper with the account. At this point in time, it’s not known if any customer’s data was misused, but it won’t be a surprise if such cases come up in the future, considering that the database was wide open for at least a few months.
This brings up the next question – how in the world did Verizon or NICE for that matter allow such a breach to happen?
It all happened due to one Amazon employee’s accidental click. He unchecked a box and this made the database public. By default, Amazon makes all its databases private, so you’ll have to uncheck an option to make it public. That’s exactly what this employee had done.
Neither Verizon nor NICE knew about this until it was reported by the Upguard analyst.
This is the second such breach for Amazon S3 this year and it brings the focus right back to cloud security. In February of this year, many websites and apps were shut down on the east coast of the U.S when an Amazon employee made a typo in the command input.
Such errors show that the cloud may not be as secure as we may think.
If you look at it closely, why should customers of cloud providers or for that matter, the end-users suffer because of a mistake done by the cloud provider’s employee? By now, a lot of the data that was available in the database would be in the dark web market where it would be sold and resold for thousands of dollars. Unsuspecting customers have to eventually bear the costs that come with such negligence, and that too, for no fault.
Also, we don’t expect it from companies like Amazon as they have built a positive reputation for themselves over the last several years. In fact, Amazon is considered to the king in cloud storage and its revenues run into billions of dollars of every year.
Considering all these factors, there is no place for such negligence. Let’s see if Amazon is going to take any steps at all in this regard.