Businesses everywhere, beware—what happened at Verizon can happen to you, too.
The names, addresses, phone numbers and in some cases, security PINs of 6 million Verizon customers stored on large cloud-computing servers were made available to the public, the telecommunications carrier said this week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of its contractors that it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
The leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee. In a similar scenario, the RNC contractor had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content — for instance, images that populate their websites — get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” Nathaniel Gleicher, former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.” His take: data leaks are going to keep happening until cloud storage systems become more automated and enterprises have more help dealing with systems.
Amazon Web Services, where the Verizon data was stored, operates under a “shared responsibility” model with the customer — the Amazon cloud unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice to help them maintain security of their data. The customers are responsible for making sure their applications are secure.
It’s roughly similar to a Google Docs user setting the “sharing” setting to private, a small group, or anyone.
After uploading files into an Amazon Web Services server, a business makes adjustments to who can access the files in a certain “bucket”, and the permissions (say to edit or just view). By default, the data is set to private so that only the person uploading the files can see them. The user can widen access to various groups, including authenticated users, that is, anyone with an AWS account that has permission to access the files; and everyone.
“Use this group to grant anonymous access,” says the AWS website.The NICE Systems employee might have clicked the “everyone” category while meaning to give access to another group.