The personal information of as many as 14 million US Verizon customers was left exposed online, claims a cybersecurity firm.
According to reports, the data was found on an unprotected Amazon S3 storage server controlled by an employee of Israel-based technology company NICE Systems.
The third-party vendor appeared to have created the data repository to log customer call data, but left the sensitive information “downloadable and configured to allow public access,” reported ZDNet.
Security researchers discovered the data on June 8, which included customer names, phone numbers, account records and PINs.
Verizon was then contacted about the files on June 13, and resolved the issue about a week later on June 22.
“Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning,” explained UpGuard researchers.
“Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.”
In response to the incident, a Verizon spokesperson assured that no other external party had accessed the customer data.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information,” the company told IBTimes UK.
The telecomm giant added that the data set had “no external value.” Although it did contain some personal information, “there was no Social Security numbers or Verizon voice recordings,” it noted.
Verizon also claims the number of accounts included in the repository was “significantly overstated,” reported IBTimes UK. However, it did not provide details on more accurate figures.