Names and phone numbers of millions of Verizon customers were made available on a publicly accessible storage area owned by one of the company's vendors, according an enterprise security software company that discovered the exposed data.
"Anyone entering a URL in a browser would have been able to access it," said Dan O'Sullivan, cyber-resilience analyst with UpGuard, the Mountain View, Calif., company that found the data.
Exposed were text files logging calls made this year to Verizon call centers between Jan. 1 and June 22, O'Sullivan said. In most cases, the logs included the names, phone numbers and addresses of Verizon subscribers. In some cases, account personal identification numbers used to verify callers' identities were also exposed, O'Sullivan said.
The storage area belonged to Nice Systems, a Verizon vendor which does business related to call-center management. UpGuard informed Verizon of its findings on June 13, O'Sullivan said. A week later, access was shut off.
After the technology news website ZD Net published a story about the episode Wednesday, Verizon issued a news release apologizing to its customers.
The phone giant confirmed that its customers' information — including their cellphone numbers and PINs in some cases — had been incorrectly placed in an insecure cloud storage area.
None of the exposed information had been lost or stolen, the company said.
Verizon spokesman David Samberg said that 6 million unique customer accounts were exposed — a smaller number than the 14 million estimated by UpGuard. Verizon was still investigating the problem when the story broke, he said.
Verizon said a "limited amount of personal information" had been left open to external access, as well as additional information that "had no external value."
The episode prompted U.S. Rep. Ted Lieu (D-Torrance) to request a Judiciary Committee hearing, said Lieu's chief of staff, Marc Cevasco.
Lieu, a Verizon customer, is concerned about possible misuse of the data. "If anyone had that information they could go online and have access to your account, and your call log, etc.," he said.
Also, "most people use their PIN for more than one thing," he said, so exposed PINs might put people at risk of identity theft.
Cevasco also said that Lieu was not convinced by Verizon's assertions that no data had been lost or stolen. Samberg, the Verizon spokesman, said that the assertion is based on a review of logs on the storage site that yielded reports of who might have viewed the data.
"A good hacker would know how to circumvent stuff like that," Cevasco said. Sophisticated state actors, looking for, say, information on government workers, were of particular concern, he added.
Lieu’s letter to Judiciary Chairman
Nice Systems, headquartered in Raanana, Israel, released a statement that called the problem "human error" involving an "isolated staging area with limited information."
O'Sullivan said the exposure underscores the rapidly increasing risks of data breaches. "This is a really remarkable incidence of third-party vendor risk," he said. "A customer knows they are giving their information to Verizon, but they are probably not aware that information is going to be shared with third-party vendors."
2:15 p.m.: This article was updated to include comments from Dan O'Sullivan, David Samberg and Marc Cevasco.