Lessons Learned from the Verizon Data Breach

By Eric Watkins, Senior Malicious Detection Researcher at zvelo

Earlier this week, over 14 million Verizon customers had sensitive user data associated with their Verizon accounts released into the wild.  A third-party vendor had stored the database on an improperly secured cloud server. While this unsecured server was located in the Amazon Web Services (AWS) cloud, the data breach was determined to be a result of human error on the contractor’s part, not any inherent security vulnerability in the AWS cloud. Regardless of the actions of their third party contractor, the responsibility ultimately rests on the shoulders Verizon. The 14 million customers who had their sensitive information leaked have fear of the consequences of this breach and the situation could cause significant damage Verizon’s business reputation.verizon

We aren’t quite sure the extent to which this data has been accessed by unknown 3rd parties.  Security auditors have discovered this sensitive data and there is a reasonable expectation that others – with less than desireable intentions – have found it as well. Unfortunately, the user records which were exposed with this breach  included the PIN numbers of Verizon’s clients processed by the 3rd party data contractor. 

Because many people have the tendency to use the same PIN across several providers, there is a risk of associated password (PIN) reuse attacks as a repercussion of this Verizon breach.  In other words, an attacker will often try the PIN associated with an specific individual taken from one data breach with another account associated with that same individual in the hope that the user set both accounts to the same PIN.

What are some steps companies can take to protect themselves against such breaches?

  • When working with providers to implement new cloud enabled web services, we recommend following best practices to ensure that the proper research is performed and that reliable partners are chosen to enable the migration of data into the cloud.
  • Remember that hosting data in the cloud with a third party doesn’t absolve your company of the responsibility to make sure that your user data is stored securely. Customers who employ your brand would not hesitate switch from your services once a breach like one of this magnitude occurs – regardless of the 3rd party contractor being involved or potentially be found at fault. Be aware of the risks of implementing 3rd parties to secure customer data and the potential impact to your brand’s reputation.
  • Check the type of data that is being migrated to the cloud.  Consider that more sensitive data loads require more secure methods and if the data is stored in the cloud, it should be audited on a routine basis.

What are a few good tools can be used to see if your data may have been compromised?

  • I highly suggest https://haveibeenpwned.com/,  run by Troy Hunt, a trusted member of the security community, who aggregates data dumps that have been released onto the web by hackers and then allows people to quickly and easily search for their own credentials. Just enter your email address to search thousands of breach dumps from large companies such as LinkedIn and MySpace. While the Verizon data breach data isn’t included yet, however I would suspect that at least part of the listing associated with breach will show up on Troy’s site fairly soon.
  • Another tool to use to search for data breaches by company is the Privacy Rights Clearinghouse database.  Simply input company names (in lieu of email addresses) and see if your search query company is returned one of the lists.  Use this service and be provided with the date and severity of the breach event, as well as the number of users impacted. Also, a brief synopsis of the breach is readily accessible and should provide good detail on the the company you are researching.

In this blog, we have provided some guidance for companies and individuals to take to be better prepared against data security breaches such as this latest Verizon breach. While it’s easy to imagine that events like this can only happen to other companies, we all purchase services from providers like Verizon and need to consider that we all could be affected by security breaches. Unfortunately, data breaches can occur with companies of any size – no matter how  large or small. Be sure to audit your personal data online and ask your providers what they are doing to prevent issues like this from occurring. Only by having open, honest conversations about the care of our data, can we place hope in companies to be more highly aware of our concerns around the security and privacy of our data being stored.