How a Misconfigured AWS Server Exposed Verizon Customers’ Data
When there’s a technical issue, telecom customers often call a support line and ask for assistance, providing personal information when necessary to resolve the problem. However, what customers don’t know is that the personal data they share over the phone could be potentially susceptible to a cyberattack, depending on where it’s stored after the call is done. Verizon customers are now dealing with exactly this, as it’s been discovered that a misconfigured AWS server has exposed customer data that was recorded during support calls.
This data, which is from support calls that have occurred in the past six months, includes the names, street and email addresses, phone numbers, and account PINs of over 14 million Verizon customers. Out of all of this data, exposed PIN numbers are the most concerning, since these PINs can give cybercriminals direct access to a customer’s account – and potentially access to individual phone accounts which could be used to compromise two-factor authentication.
So, how exactly was this security gap created? A basic setting, access control, was not applied to the cloud instance in AWS, essentially leaving the data out in the open. Encryption should also have been applied to the storage volume within AWS. This server was operated by a third-party vendor called Nice Systems, who managed Verizon’s customer service operations. In this situation, Verizon wasn’t fully aware of the security gaps present in cloud infrastructure containing their customer data.
That’s why it’s important organizations use a cloud workload protection solution, they can discover workloads in the cloud they don’t know about (as long as they have overarching account credentials), immediately see their security settings, and use that information to apply new policy where necessary. If a cloud workload protection solution was in place, Verizon could have required that Nice Systems adjust security settings, as well as provide the telecom with an audit report of the cloud servers that hold their data, allowing them to take any security action necessary.
It’s important for companies using cloud services, like AWS, to remember that they aren’t exempt from applying security to their own infrastructure. It’s a shared responsibility, which Amazon outlines here
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask those providers specific questions to help ensure they comply and, of course, do so consistently using a cloud workload protection solution.
The post How a Misconfigured AWS Server Exposed Verizon Customers’ Data appeared first on McAfee Blogs.
More antivirus and malware news?
- Library Service interruption – The CAT: Wednesday, 12/23/15 at 5:15 pm. – Monday 12/28/15
- Discounts for online reviews? No, says FTC
- Server? What server? Site forgotten for 12 years attracts hacks, fines
- Ukraine shuts down forum for malware writers
- ‘No iOS Zone’ Wi-Fi zero-day bug forces iPhones, iPads to crash and burn
- Want a security pro? For starters, get politically incorrect and understand geek culture
- Slack Releases Open Source Secure Development Lifecycle Tool
- Russian dashboard cameras, YouTube beam meteor explosion worldwide
- Mobile adware is not the same as PC, has access to personal information: Bitdefender
- Microsoft Internet Explorer Enhanced Protected Mode CVE-2013-5046 Security Bypass Vulnerability