Verizon Customer Info Database Found Wide Open on the Internet
Hard on the heels of Verizon Enterprise Solutions’ data breach of 1.5 million customer contact details, the news comes that an open database of 50 GB of Verizon customer data has been discovered, completely unprotected by any password or authentication.
MacKeeper security researcher Chris Vickery discovered the DB back in December and disclosed it to Verizon. All that was needed in order to access it was a MongoDB client and the IP address.
Yet, even after a back-and-forth with Verizon’s director of cybersecurity, Jim Matteo, Verizon did little to fix the issue—prompting Vickery to go public. After notifying Verizon of his intention, he received a response this week.
“I had not heard back from Jim until March 28th, 2016 when the Verizon PR staff heard that I was planning to post this article,” he said, in a blog.
The Verizon PR team claimed that the MongoDB was only a test environment with fictitious customer data, non-sensitive reference material, unique encryption keys and solely used passwords specific to that test environment. That was a claim that Vickery disputed, being in possession of 50 gigs of data (now purged), with at least some of the database tables actually marked as being production (i.e. not test data).
“Companies, when caught with their pants down, almost always claim that the exposed data is fictitious, or just a test environment,” Vickery said. “It’s an easy excuse that, if believed, gets them out of a lot of potential embarrassment and liability. I’d say that 90% of the breaches I find are initially denied as just ‘test data.’ But I’d also say that the vast majority of those do indeed turn out to be real breaches in the end.”
Verizon’s Matteo later told Vickery that he was right, and that the situation amounts to a “hybrid breach” scenario.
“It turns out that there was indeed production data here in somewhat of a test environment,” said Vickery. “There had been some kind of service disruption in one of Verizon’s network services around November 6th, 2015. That’s when this test environment was put together and populated with, at least some level of, production data. It was used to troubleshoot and resolve the errors, but then wasn’t properly taken down after the problems were fixed.”
Last week, another MongoDB of VES customer info, including for some of the top Fortune 500 companies, was found up for sale on an underground cybercrime forum, with a price tag of $100,000. Independent security researcher Brian Krebs ran across the information on the Dark Web. He said that while interested parties could buy the whole package, the seller also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Also for sale: information about security vulnerabilities in Verizon’s website.
Though the latest disclosed issue shows no signs that criminals accessed it, “it took them a month to plug the hole,” Vickery said. “It never made the news, but now I wish that I had made a bigger deal out of it. Maybe that would have spurred some changes which could have prevented the breach that Krebs wrote about.”
Source: Information Security Magazine