Third-party vendor blamed for Verizon data leak
- An employee of NICE Systems, one of Verizon’s vendors, placed information into a cloud storage area and incorrectly set the storage to allow external access, according to a Verizon blog and a report from Upguard.
- The snafu exposed the names, addresses, account details and account personal identification numbers. Upguard initially reported 14 million customers were impacted, but Verizon said it was only six million unique customers. Verizon said there had been no loss or theft of Verizon or Verizon customer information.
- The Amazon Web Services S3 bucket in question appears to have been created to log customer call data. Verizon says NICE Systems was collecting the data as part of project to improve a residential and small business wireline self-service call center portal. Verizon uses NICE Systems technology in its back-office and call center operations.
Verizon apologized for the incident on its website, but did little else to ease customer concerns about data privacy. Upguard said the fact that PIN codes were exposed was "particularly concerning" because if a hacker had accessed the information, PIN codes could allow him or her to gain access to accounts fairly easily.
It’s a new concern for the cloud era. Handing data over to third parties can put companies at great risk, and the company itself is ultimately responsible, not the third party. Such data leaks can result in significant reputational and financial damages. Anthem just settled a 2015 data breach with a payout of $115 million to the 80 million people affected after having personal information leaked.
The human error factor is also of growing concern. In March, an Amazon Simple Storage Service (S3) outage that occurred in the Northern Virginia Region was blamed on human error. The outage, which lasted about four hours, affected over half of the top 100 e-commerce retailers’ web sites.