Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Verizon Engineer Exposes Internal System Data

Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.

Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.

The cloud container, discovered by Kromtech Security on September 20, stored roughly 100 Mb of data from a system called Distributed Vision Services (DVS), which is used to retrieve and update billing data on all Verizon Wireless front-end applications.

While the S3 bucket did not store any Verizon customer information, it did contain usernames, passwords, and 129 Outlook messages representing internal communications.

The security firm also reported finding information that could have been used to access parts of Verizon’s internal network, B2B payment server details, PowerPoint presentations describing Verizon’s infrastructure, and global router hosts.

An investigation by Verizon revealed that the storage container was owned and operated by one of its engineers and not the company itself. Access to the files was restricted shortly after Kromtech sent a notification to Verizon on September 21.

Kromtech was told that the storage container did not hold any confidential data, but experts are not convinced.

“Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone. In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open source or publically available?” explained Bob Diachenko, chief security communications officer at Kromtech.

“As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not,” Diachenko added.

Advertisement. Scroll to continue reading.

This was not the first time Verizon data was exposed via a misconfigured AWS S3 bucket. Back in mid-July, cyber resilience firm UpGuard reported that one of the company’s partners in Israel had exposed information on millions of Verizon customers.

Verizon determined at the time that the names, addresses, phone numbers and other details of roughly 6 million customers were exposed due to human error.

“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud. Protecting data in the cloud from accidental exposure and theft is a business priority,” said Zohar Alon, co-founder and CEO of Dome9.

“Companies need to be held highly accountable for their lack of security on the public cloud,” Alon told SecurityWeek. “The public cloud needs a united front on security with regular configuration checks and balances – where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers.”

Related: AWS Bucket Leaks Viacom Critical Data

Related: Amazon Unveils Machine Learning Security Service

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...