It’s a day ending in the letter “Y,” so we’re not surprised that yet another breach of customer information is making the news: In the latest, a cyber security firm says information for at least 14 million Verizon residential and small business wireline customers was found on an unsecured web server, allowing anyone on the Internet to access it. Verizon says that figure was closer to six million customer records.
Israeli technology firm UpGuard says its cyber security team found a misconfigured cloud-based file repository containing the names, addresses, account details, and account personal identification numbers of millions of Verizon customers.
The firm came to this number after analyzing the average number of accounts exposed per day in the sample that was downloaded.
The data dump — on a publicly accessible AWS S3 bucket owned and operated by a third-party software and data company called NICE systems — appears to have been created to track customer call data for “unknown purposes,” UpGuard says.
The fact that PIN codes are listed alongside customers’ associated phone numbers is particularly concerning, the company notes: Armed with that information, scammers could pose as customers, call Verizon, and gain access to customer accounts.
Also worrisome? UpGuard says it notified Verizon on June 13 about the problem, but the breach was not closed until June 22.
Verizon says it’s investigating the incident, but that “the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention.”
“In other words, there has been no loss or theft of Verizon or Verizon customer information.”
As far as PINs go, those codes are used to authenticate a customer calling the wireline call center, “but do not provide online access to customer accounts.”
Verizon also claims that “the number of subscriber accounts included in the media report is overstated.” To that end, a company spokesman tells Consumerist that “the records contained in the data set pertained to six million unique customers.”
Correction: This post originally indicated it was Verizon Wireless customers whose records had been exposed. This story has been updated to note that the incident involved residential and small business wireline customers.
Editor's Note: This article originally appeared on Consumerist.