NEW YORK — Verizon confirmed Wednesday the personal data of 6 million customers was leaked online.
The security issue, uncovered by research from cybersecurity firm UpGuard, was caused by a misconfigured security setting on a cloud server because of human error.
The error made customer phone numbers, names, and some PIN codes publicly available online. PIN codes are used to confirm the identity of people who call for customer service.
No loss or theft of customer information occurred, Verizon said.
UpGuard — the same company that discovered leaked voter data in June — initially said the error could impact up to 14 million accounts.
Chris Vickery, a researcher at UpGuard, discovered the Verizon data was exposed by NICE Systems, an Israel-based company Verizon was working with to facilitate customer service calls. The data were collected over the past six months.
Vickery alerted Verizon to the leak on June 13. The security hole was closed on June 22.
The incident stemmed from NICE security measures that were not set up properly.
The company made a security setting public instead of private on an Amazon S3 storage server — a common technology used by businesses to keep data in the cloud.
This means Verizon data stored in the cloud were temporarily visible to anyone who had the public link.
ZDNet first reported the breach.
The security firm analyzed a sample of the data and found some PIN codes were hidden but others were visible next to phone numbers.
UpGuard declined to disclose how the leaked data were discovered.
Dan O’Sullivan, a Cyber Resilience Analyst with UpGuard, said exposed PIN codes is a concern because it allows scammers to access someone’s phone service if they convince a customer service agent they’re the account holder.
“A scammer could receive a two-factor authentication message and potentially change it or alter [the authentication] to his liking,” O’Sullivan said. “Or they could cut off access to the real account holder.”
Verizon customers should update their PIN codes and not use the same one twice, O’Sullivan advises.
The is the latest leak to surface from a misconfigured Amazon S3 storage unit.
In June, an analytics firm exposed the data of almost 200 million voters, and earlier this month, an insecure server leaked 3 million WWE fans’ data last week.AlertMe