Millions of Verizon customer details exposed on misconfigured Amazon S3 server

A third-party vendor working with American telco giant Verizon left the data of as many as 14 million United States customers exposed on a misconfigured server, a security researcher has discovered.

Security vendor UpGuard researcher Chris Vickery on 28 June spotted exposed names, addresses, account details, account personal identification numbers (PINs) and information fields indicating customer satisfaction tracking for as many as 14 million US customers.

The data was contained on a misconfigured Amazon S3 data repository owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon, Vickery wrote.

If an attacker had accessed the information, it would have allowed them to pose as Verizon and contact the telco to gain access to users' accounts.

The scenario is an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

The data repository appears to have been created to log customer call data for unknown purposes.

It was fully downloadable and configured to allow public access. All one would need to access the data was the S3 bucket's URL.

Verizon said it was able to confirm there was no loss or theft of the information.

“An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access,” a spokesperson said. 

“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention.”

Despite Verizon's claims researchers criticised the insecure practice highlighting the frequency of information left exposed on Amazon S3. 

The recent WWE, US voter records, and Scottrade leaks also exposed sensitive information through mismanaged AWS S3 servers, co-founder and chief executive of cloud security vendor Dome9 Zohar Alon said.

“Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous,” Alon said.

“A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organisation's reputation at risk."

He said these examples highlighted how a single vulnerability, security or process lapse in the public cloud is all it takes to expose highly sensitive private data to the world.