When there’s a technical issue, telecom customers often call a support line and ask for assistance, providing personal information when necessary to resolve the problem. However, what customers don’t know is that the personal data they share over the phone could be potentially susceptible to a cyberattack, depending on where it’s stored after the call is done. Verizon customers are now dealing with exactly this, as it’s been discovered that a misconfigured AWS server has exposed customer data that was recorded during support calls.
This data, which is from support calls that have occurred in the past six months, includes the names, street and email addresses, phone numbers, and account PINs of over 14 million Verizon customers. Out of all of this data, exposed PIN numbers are the most concerning, since these PINs can give cybercriminals direct access to a customer’s account – and potentially access to individual phone accounts which could be used to compromise two-factor authentication.
So, how exactly was this security gap created? A basic setting, access control, was not applied to the cloud instance in AWS, essentially leaving the data out in the open. Encryption should also have been applied to the storage volume within AWS. This server was operated by a third-party vendor called Nice Systems, who managed Verizon’s customer service operations. In this situation, Verizon wasn’t fully aware of the security gaps present in cloud infrastructure containing their customer data.
That’s why it’s important organizations use a cloud workload protection solution, they can discover workloads in the cloud they don’t know about (as long as they have overarching account credentials), immediately see their security settings, and use that information to apply new policy where necessary. If a cloud workload protection solution was in place, Verizon could have required that Nice Systems adjust security settings, as well as provide the telecom with an audit report of the cloud servers that hold their data, allowing them to take any security action necessary.
It’s important for companies using cloud services, like AWS, to remember that they aren’t exempt from applying security to their own infrastructure. It’s a shared responsibility, which Amazon outlines here
This shared responsibility and the relationships organizations have with third-party vendors are especially important to keep top of mind as regulators begin passing legislation that imposes specific data privacy requirements for companies, such as the E.U.’s General Data Protection Regulation (GDPR). If a company stores any data on European citizens in the cloud, it should ask those providers specific questions to help ensure they comply and, of course, do so consistently using a cloud workload protection solution.