Over the last six months, data pertaining to at least 14 million subscribers who used the telecommunication giant’s customer services was stored on an insecure Amazon S3 server used by an employee of Nice Systems, a vendor based in Ra'anana, Israel, whose customers include 85 of the Fortune 100 companies.
Because the server was unsecured, anyone who had its web address could download the information, which included customer names, phone numbers and account PINs, information that can be used to access a subscriber’s account.
The breach took a week to secure after it was discovered in late June by Chris Vickery, director of cyber risk research at the UpGuard security firm, which privately reported the exposure to Verizon.
ZDNet reports that in 2016, Nice raked in $1.01 billion in revenue, and works chiefly in financial crime and compliance and customer engagement. With more than 25,000 customers in about 150 countries, its largest customer base resides in financial services, with Verizon and other telecom companies serving as important mainstays.
Nice has connections to several government intelligence agencies, according to Privacy International and other watchdog groups, and is also known to have a close relationship with Cellebrite and Hacking Team, phone cracking and surveillance groups.
In a 2014 report, Privacy International noted that Nice and Herzliya-based software company Verint Israel, "supplied monitoring centers to Kazakhstan’s KNB and Uzbekistan’s SNB, two security agencies widely implicated in human rights abuses. The monitoring centres allow agencies unchecked access to citizens' telephone calls and internet activity on a mass, indiscriminate scale."
Nice said in an annual regulatory report filed with the Securities and Exchange Commission that it can’t control how customers use their software. "Our products may also be intentionally misused or abused by clients who use our products," the company explained.
US Rep. Ted Lieu (D-CA) called the breach "highly troubling," telling ZDNet, "I'm going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn't happen again."
Though both Nice and Verizon have confirmed the breach, and Verizon says that "only" 6 million customers’ data was exposed.
Dan O’Sullivan, also from UpGuard’s cyber risk research team, wrote in a blog post, "Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication."
He added that the exposure serves as an example of how risky it is to place sensitive information in the hands of third party vendors like Nice.