Verizon’s data leak not the first — or last
Experts say lack of expertise means more disclosures
Businesses everywhere, beware — what happened at Verizon, Dow Jones and the RNC can happen to you, too.
A reminder: The names, addresses, phone numbers and, in some cases, security PINs of 6 million Verizon customers stored on large cloud-computing servers were made available to the public, the telecommunications carrier said last week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of its contractors that it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
Still, the risk was clear: A criminal who discovered the data could have used or sold the identifying information for the type of fraud that can wreak havoc on consumers’ lives.
The Verizon leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee.
In a similar scenario, the RNC contractor — Deep Root Analytics — had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access. As with the Verizon exposure, Mountain View, Calif., cybersecurity company UpGuard identified the cache. And over the weekend, Wall
Street Journal parent Dow Jones & Co. said the records of 2.2 million customers, which in some cases included names, addresses, account information and the last four digits of credit-card numbers, were left exposed in an Amazon Web Services account. Dow Jones says it doesn’t believe any information was taken.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content — for instance, images that populate their websites — get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” said Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.”
His take: Data leaks are going to keep happening until cloud storage systems become more automated and enterprises have more help dealing with systems.
Amazon Web Services, where the Verizon data was stored, operates under a “shared responsibility” model with the customer — the Amazon cloud unit controls the physical security and op- erating system and gives customers encryption tools, best practices and other advice to help them maintain security of their data. The customers are responsible for making sure their applications are secure.
It’s roughly similar to a Google Docs user setting the “sharing ” setting to private, a small group or anyone.
Chris Vickery, director of cyber risk research at UpGuard and the person who found and alerted Verizon and the RNC of their data leaks, expects more leaks will happen in the future because the enterprises using cloud storage don’t understand it.
“There are a bevy of pitfalls you can get caught in if you rush too quickly into technology you’re not prepared to handle,” Vickery said.
There are ways for enterprises to see if their data is vulnerable.
Vickery advises once a month to have one of the IT members of an enterprise go home early and see if they can access any of the cloud storage websites that contain sensitive data without special access.
If they can get in, so can other people.