What hospitals using cloud storage should know about Verizon's data breach
A misconfigured cloud storage database exposed the personal information of as many as 14 million U.S. Verizon customers, UpGuard Cyber Risk Analyst Chris Vickery first made the discovery on June 8. It took more than a week for Verizon to secure the data.
NICE, a telephonic software and data firm, handles the back-office and call center operations for Verizon.
While a Verizon spokesperson claims it was just 6 million accounts exposed, any customer who called the company’s customer service line in the last six months were part of the breach. The database was found on an unprotected Amazon S3 storage server controlled by Israel-based Nice Systems.
The exposed data contains names, addresses, account information and PIN codes that are used to verify customers alongside phone numbers. UpGuard said that these codes could allow a scammer to successfully pose as customers in calls to Verizon, which would provide them access to accounts.
The database was created to log customer data. French-language text files stored in the server showed internal data from Paris-based telecommunications firm Orange S.A., a NICE partner, as well.
The cause of the breach? An employee unchecked a box, which made the database public. Amazon makes the default setting private for all cloud storage. Calls to Amazon for comment were not returned by time of publication.
Verizon’s breach is the second massive disruption for Amazon S3 this year. On Feb. 28, an outage shut down a large portion of websites and apps on the east coast, when an employee made a typo in the command input.
In another instance, a vendor error caused a misconfiguration on a MongoDB database at Bronx-Lebanon Hospital Center in May.
These issues highlight the need for hospitals to exercise caution when uploading data to the cloud, as user error is a major issue. Cybercriminals -- who make a living off these vulnerabilities and exposed databases -- are constantly surveying the internet to find flaws and sell the data on the dark web.