When there’s a technical issue, telecom customers often call a support line and ask for assistance, providing personal information when necessary to resolve the problem. However, what customers don’t know is that the personal data they share over the phone could be potentially susceptible to a cyberattack, depending on where it’s stored after the call is done. Verizon customers are now dealing with exactly this, as it’s been discovered that a misconfigured AWS server has exposed customer data that was recorded during support calls.
This data, which is from support calls that have occurred in the past six months, includes the names, street and email addresses, phone numbers, and account PINs of over 14 million Verizon customers. Out of all of this data, exposed PIN numbers are the most concerning, since these PINs can give cybercriminals direct access to a customer’s account – and potentially access to individual phone accounts which could be used to compromise two-factor authentication.
So, how exactly was this security gap created? A basic setting, access control, was not applied to the cloud instance in AWS, essentially leaving the data out in the open. Encryption should also have been applied to the storage volume within AWS. This server was operated by a third-party vendor called Nice Systems, who managed Verizon’s customer service operations. In this situation, Verizon wasn’t fully aware of the security gaps present in cloud infrastructure containing their customer data.
That’s why it’s important organizations use a cloud workload protection solution, they can discover workloads in the cloud they don’t know about (as long as they have overarching account credentials), immediately see their security settings, and use that information to apply new policy where necessary. If a cloud workload protection solution was in place, Verizon could have required that Nice Systems adjust security settings, as well as provide the telecom with an audit report of the cloud servers that hold their data, allowing them to take any security action necessary.
It’s important for companies using cloud services, like AWS, to remember that they aren’t exempt from applying security to their own infrastructure. It’s a shared responsibility, which Amazon outlines here
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask those providers specific questions to help ensure they comply and, of course, do so consistently using a cloud workload protection solution.
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.