Verizon Security Breach Down to Human Error

Verizon saw around 6m users’ details leaked online after human error led to a misconfigured security setting on a cloud server. According to experts, these things happen.

We’re never quite secure, despite our best efforts. Online or offline, ultimate security is an ideal destination, but not necessarily an achievable one.

That said, the more protections in place, the closer we get to that ideal. Good anti-malware and antivirus software can protect users from most cyberattacks. Well-organised networks and backup processes can limit a company’s exposure, should it be successfully attacked.

But attacks do happen, and companies and individuals are always the victims.

This week, Verizon was one such victim, along with around 6m of its customers, thanks to a simple instance of human error.

The names, addresses and phone numbers of millions of Verizon customers were publicly exposed online, with security PINs included in some cases.

Verizon exposure

Verizon said the customers’ accounts were exposed when an employee of Nice Systems put information into a cloud storage area and permitted external access to the information.

Dan O’Sullivan, who works at UpGuard – the company that discovered the threat – said exposed PIN codes are a concern because they allow scammers to access people’s phone services.

“A scammer could receive a two-factor authentication message and potentially change it or alter [the authentication] to his liking,” O’Sullivan said. “Or they could cut off access to the real account holder.”

In this case, the company got lucky, as UpGuard worked with Verizon to fix the issue before any major damage could be done.

These things happen

However, lessons can, and should, still be learned from the incident, according to Eyal Aharoni, the COO of cybersecurity firm Cymulate.

“Miss configuration [sic] of security settings – no matter if you are in the cloud, as happened in the current issue or on premises – it is still an issue that can happen due to human error or by faulty updates and patches,” he said.

“Even missing marking a simple checkbox such as marking security setting public, instead of private, could leave your organisation exposed to sensitive data leakage or to damaging attacks.

“You should always verify that changes and updates made were done properly and have not exposed you.

“This can be done through automatic sanity checks, security assessments and testing your security controls continuously.”