A “breakdown in communications” delayed Verizon from closing millions of publicly exposed user files last week.
It took more than a week to respond to a cybersecurity company’s notification that a configuration error was putting customer information at risk, the Chicago Tribune reported. That delay was due to a member of the team being on vacation.
The cyber risk team from UpGuard, which helped discover the recent Republic National Committee leak, on June 8 discovered a downloadable Amazon S3 repository containing a Verizon subdomain. An employee of NICE Systems, which provides back-office and call-center support for Verizon, had configured it for public access. UpGuard contacted Verizon on June 13, and Verizon closed the leak on June 22.
UpGuard wrote that the exposure could have affected 14 million users, while Verizon insists that it was no more than 6 million.
Verizon says that the incident was neither a breach nor a hack and emphasized that the error was that of one of its vendors. Nice Systems, which has a foot in the channel, provides the carrier with software to measure its call-center workforce.
“We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention,” the company’s statement read. “In other words, there has been no loss or theft of Verizon or Verizon customer information.”
According to the Tribune, a member of UpGuard’s team called a member of Verizon’s team on June 8 and left a voice mail, but checked on the repository a week later to see that nothing had been fixed. UpGuard then emailed the entire team and prompted a response within 24 hours.
|SDN & Security: The time is now to discover the service opportunity in managing the security requirements of virtualized networks. Find out how!|
UpGuard criticized Verizon for not responding to the situation sooner, calling the delay “troubling.” It’s also a demonstration how a third-party vendor’s cyber risks are inseparable from that of the client enterprise.
“Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises,” UpGuard’s Dan O’Sullivan wrote in a blog.
It’s a clear example of one of many security breach scenarios that Verizon’s own data breach investigation team recently shared. As the study ironically pointed out, a large number of data leaks come from either the inside or with a partner and aren’t intentional.