How a Misconfigured AWS Server Exposed Verizon Customers’ Data
When there’s a technical issue, telecom customers often call a support line and ask for assistance, providing personal information when necessary to resolve the problem. However, what customers don’t know is that the personal data they share over the phone could be potentially susceptible to a cyberattack, depending on where it’s stored after the call is done. Verizon customers are now dealing with exactly this, as it’s been discovered that a misconfigured AWS server has exposed customer data that was recorded during support calls.
This data, which is from support calls that have occurred in the past six months, includes the names, street and email addresses, phone numbers, and account PINs of over 14 million Verizon customers. Out of all of this data, exposed PIN numbers are the most concerning, since these PINs can give cybercriminals direct access to a customer’s account – and potentially access to individual phone accounts which could be used to compromise two-factor authentication.
So, how exactly was this security gap created? A basic setting, access control, was not applied to the cloud instance in AWS, essentially leaving the data out in the open. Encryption should also have been applied to the storage volume within AWS. This server was operated by a third-party vendor called Nice Systems, who managed Verizon’s customer service operations. In this situation, Verizon wasn’t fully aware of the security gaps present in cloud infrastructure containing their customer data.
That’s why it’s important organizations use a cloud workload protection solution, they can discover workloads in the cloud they don’t know about (as long as they have overarching account credentials), immediately see their security settings, and use that information to apply new policy where necessary. If a cloud workload protection solution was in place, Verizon could have required that Nice Systems adjust security settings, as well as provide the telecom with an audit report of the cloud servers that hold their data, allowing them to take any security action necessary.
It’s important for companies using cloud services, like AWS, to remember that they aren’t exempt from applying security to their own infrastructure. It’s a shared responsibility, which Amazon outlines here
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask those providers specific questions to help ensure they comply and, of course, do so consistently using a cloud workload protection solution.
The post How a Misconfigured AWS Server Exposed Verizon Customers’ Data appeared first on McAfee Blogs.
More antivirus and malware news?
- iSpy? Researcher exposes backdoor in iPhones and iPads
- Parrot Copter and Viking Jump apps hide malware in Google Play
- Scheduled Maintenance – VoIP Service disruption – Multiple Buildings
- It’s not up to Google to stop child abuse, says expert
- Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran
- Cybercriminals Steal Card Data From Shoney’s Restaurants
- Snapchat’s new image-based human verification system already defeated
- Microsoft Windows Hyper-V CVE-2017-8704 Remote Denial of Service Vulnerability
- Sophos fixes vulnerabilities in its Web security appliance
- You Could Go To Jail For Hacking Your iPhone And Obama Wants To Change That