Verizon is an American multinational telecommunications conglomerate and the largest U.S. wireless communications service provider as of September 2014, and a corporate component of the Dow Jones Industrial Average.
Chris Vickery, director of cyber risk research at security firm UpGuard, found an unprotected database on Amazon S3 that was completely downloadable and configured to provide public access. The database and its multiple terabytes of contents could thus be accessed simply by entering the S3 URL.
According to UpGuard:
“The repository’s subdomain, “verizon-sftp,” is an indication of the files’ corporate origins. Viewing the repository, there are six folders titled “Jan-2017” through “June-2017,” as well as a number of files formatted with .zip, among them “VoiceSessionFiltered.zip” and “WebMobileContainment.zip.” These files, inaccessible via .zip extraction, could be decompressed once the format was changed to .gzip, another file compression program.”
The data included sensitive information of millions of customers, including their names, phone numbers, and account PINs (personal identification numbers). The database was sitting on an Amazon Web Services S3 server without any type of authentication.
“This is not all, however. A great many Verizon account details are also included in the logs, such as customer names, addresses, and phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked.”
The researcher reported the exposure to Verizon team in late June, and the database was then secured in a week.