The personal details of up to "14 million customers" of US communications giant Verizon, including names, addresses, account records and account PIN numbers, were left exposed online on a cloud server without adequate password protection, a security firm has claimed.
The server was reportedly maintained by a third-party vendor called Nice Systems, a global 'customer experience' and big data analytics company, headquartered in Israel, that has previously been accused of selling tools which enable government surveillance.
According to cybersecurity firm UpGuard, one of its researchers uncovered the database and its terabytes of internal files without any meaningful protection.
The cloud-based Amazon Web Services (AWS) repository was "downloadable and configured to allow public access," the firm said. And it was exposed – where anyone could have downloaded and exploited the information – for the good part of a month.
In a blog post published on Wednesday 12 July, UpGuard said it was initially found on 8 June, reported on 13 June and later resolved on 22 June 2017.
The repository reportedly contained six folders dated from January to June this year.
In one text file the researchers uncovered "six thousand" unmasked PIN codes - assigned to individual customers to identify accounts. Upon analysis, the records were linked to Verizon customer call centre logs which used Nice Systems' technology.
UpGuard cyber resilience analyst Dan O'Sullivan branded some aspects of the find "troubling".
"The exposure of Verizon account pin codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning," he wrote.
"Possession of [...] account pin codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication."
UpGuard said that once the leaked files were unzipped and analysed it was found the contents were listed in the format of daily customer logs – with some text documents as large as 23GB. One included voice recognition data from a phone support line – but no recordings were exposed.
Interestingly, the researcher also found data that appeared to be linked to French telecommunications firm Orange, another partner of Nice Systems.
UpGuard said this trove of leaked data was "less sensitive" but still noteworthy as the rest of the repository was all Verizon records.
"Third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements," O'Sullivan continued.
"There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor's side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise."
'No loss or theft'
In a statement to IBTimes UK, a Verizon spokesperson said: "An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access.
"We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.
"The vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call centre portal and required certain data for the project.
"The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area."
The firm claimed the number of subscriber accounts included in the UpGuard report was "significantly overstated" but did not provide an additional figure to publish.
A spokesperson for Nice Systems said: "Published reports erroneously confuse a human error at a project with inaccurate past reports related exclusively to a business that Nice divested several years ago and no longer has anything to do with our business.
"This human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project."
It's not uncommon for exposed information, especially when collected by third-party vendors, to be left online in a misconfigured manner.
In June this year, UpGuard was credited with discovering an exposed database that was storing the personal information of nearly 200 million American voters. That incident was linked to Deep Root Analytics, a marketing and big data company with ties to the US Republican Party.
This article was updated to add comment from Nice Systems.