Verizon, which you might remember from sending you cellphone bills or from being sued by the city of New York for failing to install citywide FIOS cable by the end of 2014, is in hot water after millions of customer records were exposed by a third party vendor the telecom giant worked with.
Cybersecurity firm UpGuard first called attention to the exposed data, charging that up to 14 million customer records (including things like names, phone numbers and addresses) were carelessly exposed by a vendor who didn't secure the data. Verizon has disputed this number; according to a company spokesperson there were 6 million records in the data.
According to UpGuard's report on the matter, the Verizon data was stored by NICE Systems, a company that provides technology to run call centers efficiently but also has a "history of supplying technology for use in intrusive, state-sponsored surveillance." The Verizon data that NICE had access to was stored on a publicly-accessible server, and could be downloaded by anyone who came across the page either on purpose or accidentally.
The files that UpGuard reviewed contained records like customer names, phone numbers and addresses, and most disturbingly in some cases, unmasked PIN numbers, which can be used to impersonate customers and change their account settings. In one text file alone, six thousand PIN numbers were left unmasked.
UpGuard also claims that they contacted Verizon about the data breach on June 13th, but that the customer records remained publicly available until June 22nd. A "senior Verizon employee" told ZDNet that "the company was unaware that the data was being exfiltrated or exported, and Verizon had no control over the server."
However, UpGuard suggests that the excuse that this was the fault of a third party rings hollow, since Verizon customers may not have even known a third-party vendor had access to their data and "any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise."
David Samberg, a spokesperson for Verizon, told Gothamist that the company has "been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information." Samberg declined to go into detail about how that determination was reached because the company does not reveal details of their investigations.