The data leaks just don’t stop coming! Verizon, the US cellular giant, has become the newest company not to properly secure itself in the cloud. An unsecured AWS S3 bucket the culprit this time again.
This time around, researchers from Kromtech Security were doing the digging.
These are the same guys that unearthed similar cloud security issues with Time Warner Cable, the cable provider, and Groupize, a hotel booking company.
And they were able to easily access the storage bucket that contained the billing system of the company along with the Distributed Vision Service (DVS) software that powered it. Although no customer details were available, data that could have allowed access to internal Verizon infrastructure was.
As noted:
“DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data
Although no customers data are involved in this data leak, we were able to see files and data named ‘VZ Confidential’ and ‘Verizon Confidential’, some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon’s internal network and infrastructure.”
Among the information that was available, were a number of Outlook messages, router host information, and B2B payment server names and information.
As is usually the case, this unsecure instance was misconfigured due to a human error. It had been set up to allow anyone on the Internet to access. No technical failing of AWS or Verizon here — just that someone had forgotten to disable public access.
But it’s faults like these that are enough for hackers and cybercriminals to break through.
Verizon Wireless, after receiving a notification email on September 21 by the Kromtech researchers, had the online archive taken down short after.
All’s well that ends well.
0 comments