14 Million Customer Records Exposed in Verizon Partner Data Breach
Human error is responsible for the latest batch of data being exposed on the web. NICE Systems, a Verizon partner, inadvertently posted the personal information of up to 14 million customers on an unprotected server. The data, which has since been secured, could have been downloaded by anyone accessing the server’s website.
Security researcher Chris Vickery initially found the data in late-June and reported his findings to Verizon. He wrote that the information available included names, home and email addresses, account details, and personal identification numbers (PINs). Most of the records seemed to be from U.S. customers.
Vickery found the PINs are of particular concern, as these are used to verify a customer’s identity if they call with a problem, which a Verizon employee anonymously confirmed to ZDNet.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication,” Vickery said.
Verizon has confirmed the error occurred, but said only six million customers had their data exposed, as some of the customer data was masked. The company will not say how it redacts information, as this would create security concerns. They also assert that no PINs were exposed and told CNBC these numbers were for internal record keeping and were not linked to customer accounts.
The data repository seems to have been created to log customer calls from January through June of this year. Verizon had hired NICE to handle its back-office and call center operations.