Update, July 16, 2018, at 2:25 p.m. Well, we goofed. The report on the Verizon vulnerability was from July 2017. At the time, Verizon said that “NO Verizon or Verizon customer information was lost or stolen, and this was NOT a breach or a hack.” The company also clarified that the PINs in question were to provide access to customer accounts over the phone but do not allow online access. It also said that 6 million customers were affected, not 14 million.
Original post: An Israel-based technology company has exposed up to 14 million Verizon subscribers’ customer records and personal information, according to a report by ZDNet. After a security researcher flagged the vulnerability, Verizon didn’t fully address the problem for more than a week. It now insists customers have nothing to worry about—even though the exposed information included such sensitive things as PINs.
NICE Systems, an enterprise software organization based in Ra’anana, Israel, improperly stored subscribers’ data on an unprotected Amazon S3 storage server, which could be freely accessed and downloaded by anyone with the “easy-to-guess” web address, ZDNet reported.
NICE—whose clients include 85 of the Fortune 100 companies—provides two main services: customer service and financial crime prevention. According to NICE’s website, it works with It works with large companies to “improve their business performance” and “enhance their safety and security.” Verizon sends data to NICE for analysis, which the company says it uses to “realize intent, and extract and leverage insights to deliver impact in real time.”
The data stored by NICE came from log files of customer service calls to Verizon in the last six months. When subscribers called the phone company, the interactions were recorded and sent to NICE for analysis. The data stored on the unsecured server included subscribers’ personal information, such as a customer’s name, cell phone number, email address, and account PIN. The records also contained hundreds of fields of additional data about subscribers, including their current account balance and whether they have a Verizon federal government account. One field recorded a subscriber’s “frustration score” when speaking to customer service.
It appears that Verizon made an effort to redact some of the private information stored on the server, but most of the customer records were partly or entirely visible.
If someone obtained the unsecured data, they would be able to easily access customers’ Verizon accounts. From there, security experts told ZDNet that it would be possible in theory for attackers to hijack a customer’s phone number and take over their account. In the worst-case scenario, a hacker could gain access to Verizon customers’ email and social media accounts—even those with two-factor authentication.
Chris Vickery, director of cyber risk research at the security firm UpGuard, discovered the NICE security lapse and alerted Verizon to the exposure. However, it took more than seven days for the data to be secured.
Verizon said that it was investigating the security lapse and noted that the “overwhelming majority of information in the data set has no external value.” However, security experts noted that all it would take to access subscribers’ accounts are customer names, phone numbers, and account PINs.
A Verizon spokesperson stated that an investigation found that, besides Vickery, there was no indication that any “other external party accessed the data,” but Verizon would not say how it reached that conclusion. “The logic goes that if a security researcher found the data, there’s no telling who else might have done,” according to ZDNet.
Ted Lieu, a Democratic congressman from California, told ZDNet that the exposure was “highly troubling,” and said that he would ask the Judiciary Committee to hold a hearing to determine “the scale and scope of what happened and to make sure it doesn’t happen again.”
It remains unclear whether anyone downloaded the data, but there is currently no indication that customers’ information has been compromised.