Even organizations that operate with an enlightened security mindset are most likely focused on their own domain. They are certainly very aware that their data travels and is transacted beyond their corporate walls, but few actively audit how it’s handled by third-parties on a daily basis. The recent discovery that a Verizon partner left an Amazon S3 bucket inadvertently unsecured, thus exposing sensitive Verizon customer information, highlights the need for enterprises to have visibility into how partners and other stakeholders keep their data secure.
The story is becoming part of a recurring theme, but the magnitude of this potential breach was staggering. Verizon partner Nice Systems logged customer files that contained sensitive and personal information (including customer names, corresponding cell phone numbers, and specific account PINs) on an Amazon S3 bucket. For reasons unknown, that bucket was left unsecured, thus exposing more than 14 million Verizon customer records to anyone who discovered the bucket. Security experts have suggested that this level and type of exposure can ultimately result in account takeovers through phone number hijacking. With access to the vulnerable data, hackers could break into customers’ email and social media accounts, even for those using multi-factor authentication. The situation was fixed (after six days of round-the-clock remediation), but the exposure could have led to extreme consequences.