USA TODAY International Edition
TELL DATA THIEVES TO GET OFF YOUR CLOUD
Experts: Lack of expertise means Verizon leak could recur
Businesses everywhere, beware — what happened at Verizon can happen to you, too.
The names, addresses, phone numbers and, in some cases, security PINs of 6 million Verizon customers stored on large cloud- computing servers were made available to the public, the telecommunications carrier said last week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of the contractors it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
Still, the risk was clear: A criminal who discovered the data could have used or sold the identifying information for the type of fraud that can wreak havoc on consumers’ lives.
The leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee.
In a similar scenario, the RNC contractor — Deep Root Analytics — had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access. As with the Verizon exposure, Mountain View, Calif. cybersecurity company UpGuard identified the data cache.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content — for instance, images that populate their websites — get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.”
His take: Data leaks are going to keep happening until cloud storage systems become more automated and the enterprises have more help dealing with the system.
Amazon Web Services, where the Verizon data was stored, operates under a “shared responsibility” model with the customer — the Amazon cloud unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice to help them maintain security of their data. The customers are responsible for making sure their applications are secure.
It’s similar to a Google Docs user setting the “sharing” setting to private, a small group, or anyone.
Chris Vickery of UpGuard, who found and alerted Verizon and the RNC to their data leaks, expects more will happen because the enterprises using cloud storage don’t understand it.
Vickery advises having an IT member go home early once a month and see if he or she can access cloud storage websites without special access. If they can get in, so can other people.