THIS LEAK WON’T BE THE LAST
Experts: Lack of expertise means disclosure of Verizon data could recur
Businesses everywhere, beware — what happened at Verizon can happen to you, too.
The names, addresses, phone numbers and, in some cases, security PINs of 6 million Verizon customers stored on large cloud- computing servers were made available to the public, the telecommunications carrier said last week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of the contractors it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
Still, the risk was clear: A criminal who discovered the data could have used or sold the identifying information for the type of fraud that can wreak havoc on consumers’ lives.
The leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee.
In a similar scenario, the RNC contractor — Deep Root Analytics — had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access. As with the Verizon exposure, Mountain View, Calif. cybersecurity company UpGuard identified the data cache.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.”
His take: Data leaks will keep happening until cloud storage systems become more automated and the enterprises have more help dealing with the system.
Amazon Web Services, where the Verizon data was stored, operates under a “shared responsibility” model with the customer — the Amazon cloud unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice. The customers are responsible for making sure their applications are secure.