MORE THAN 14 million Verizon customer records, including phone numbers and account PINs, were reportedly exposed online last month.
The security ballsup, discovered by UpGuard, involved technology supplier Nice Systems, which left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. This data was publicly accessible to anyone who had the "easy-to-guess" URL, the security firm said.
"UpGuard director of cyber risk research, Chris Vickery, discovered a cloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access. The database and its many terabytes of contents could be accessed simply by entering the S3 URL," the firm said.
The data contained names, phone numbers and, according to UpGuard, PINs that could be used to access customers' Verizon accounts.
The security firm said that 14 million subscribers were affected, about 10 percent of Verizon's 108 million total subscribers. The subscribers affected were primarily those who called Verizon's customer services line in the last six months.
"Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication," UpGuard said.
Nice Systems, the Israeli firm responsible for the breach, said in a statement that a fat-fingered staffer was to blame.
"This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project," it said.
Verizon has also spoken out about the incident and has said that while it is investigating the matter, there's no indication that the data had been compromised.
"An employee of one of our suppliers put information into a cloud storage area and incorrectly set the storage to allow external access," a Verizon spokesperson told CNBC.
"We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its supplier was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."
Verizon also said the subscribers affected was "overstated" and that the exposed PINs not actually linked to customer accounts, but rather were numbers used to authenticate customers at call centres.
However, UpGuard said this exposure is a potent example of the risks of third-party suppliers handling sensitive data.
"Third-party supplier risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises," it said. µ
Despite local protests
Remember crime does not pay people
You're crap but we couldn't have done it without you