US telecommunications giant Verizon has confirmed that the details of six million customers were exposed online by a third-party vendor, less than 24 hours after cybersecurity firm UpGuard published the claim that the scope of the incident was much larger.
On 12 July, security experts claimed "as many as 14 million" Verizon customers subscribed to a customer service line managed by Nice Systems, an Israeli firm, had their names, addresses and personal Verizon account numbers left at risk online by a leaky database.
That figure, a Verizon spokesperson claimed, was "significantly overstated". At the same time, he admitted that the incident hit "six million" unique customers.
A statement elaborated: "An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access.
"We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. There has been no loss or theft of Verizon or Verizon customer information."
Nevetheless, the data exposure, discovered by US-headquartered firm UpGuard and first reported by ZDNet, remains a huge amount of records.
The security firm said the files were discovered on an unprotected Amazon Web Services (AWS) database on 8 June but that the issue was not fully resolved until weeks later, on 22 June 2017.
Verizon said that its partner Nice Systems was supporting an initiative designed to improve a call centre portal, which is why it had access to such sensitive customer data.
It claimed the "majority of information in the data set had no external value."
That was a sentiment not likely to be shared by those who had their names, addresses and account data exposed online. It remains unclear if Verizon plans to notify those impacted, but asserted that it remains "committed to the security and privacy" of its customers.
The main fear, according to the experts, was that Verizon Pin numbers in the trove of exposed data could be used to trick Verizon operators into letting hackers access personal accounts.
In a statement to IBTimes UK, a Nice Systems said: "Reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that Nice divested several years ago and no longer has anything to do with our business.
"This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project." It declined to confirm that the data was linked to Verizon.
Corporate spin is expected in a situation of this nature – and Verizon chiefs appear eager to stress that the scope of the exposure was not as large as initially reported. Yet despite the assertion that only researchers accessed the data, it's still an unfortunate situation for all involved.