Businesses everywhere, beware—what happened at Verizon can happen to you, too.
The names, addresses, phone numbers and in some cases, security PINs of 6 million Verizon customers stored on large cloud-computing servers were made available to the public, the telecommunications carrier said this week after a cybersecurity company notified it of the exposed data.
Verizon chalked the leak up to human error, saying it was because an employee of NICE Systems, one of its contractors that it uses to analyze its customer service response, made a mistake. No customer information was stolen, Verizon said, and it apologized to its customers.
Still, the risk was clear: A criminal who discovered the data could have used or sold the identifying information for the type of fraud that can wreak havoc on consumers' lives.
The leak comes a month after the discovery that the names, birthdays, addresses and other personal details of 200 million registered voters were exposed by a contractor for the Republican National Committee.
In a similar scenario, the RNC contractor — Deep Root Analytics — had failed to ensure that the voter files stored on an Amazon cloud account were not available to public access. As with the Verizon exposure, Mountain View, Calif. cybersecurity company UpGuard identified the data cache.
More such exposures are likely until businesses, which are increasingly using the cloud to store and analyze customer data and their own content — for instance, images that populate their websites — get a firm grip on the security protections they need to place around such data.
“When you have these complex systems and you force humans to solve the problem manually, we make mistakes,” Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former director of cybersecurity policy in the Obama administration. “Complexity is the enemy of security.”
His take: data leaks are going to keep happening until cloud storage systems become more automated and enterprises have more help dealing with systems.
Amazon Web Services, where the Verizon data was stored, operates under a "shared responsibility" model with the customer — the Amazon cloud unit controls the physical security and operating system, and gives customers encryption tools, best practices, and other advice to help them maintain security of their data. The customers are responsible for making sure their applications are secure.
It's roughly similar to a Google Docs user setting the "sharing" setting to private, a small group, or anyone.
After uploading files into an Amazon Web Services server, a business makes adjustments to who can access the files in a certain "bucket", and the permissions (say to edit or just view). By default, the data is set to private so that only the person uploading the files can see them.
The user can widen access to various groups, including authenticated users, that is, anyone with an AWS account that has permission to access the files; and everyone.
"Use this group to grant anonymous access," says the AWS website.The NICE Systems employee might have clicked the "everyone" category while meaning to give access to another group.
NICE's explanation was that "this human error is not related to any of our products or our production environments nor their level of security, but rather to an isolated staging area with limited information for a specific project.”
Verizon declined to elaborate on its contractor's mistake.
Chris Vickery, director of cyber risk research at UpGuard and the person who found and alerted Verizon and the RNC of their data leaks, expects more leaks will happen in the future because the enterprises using cloud storage don’t understand it.
“There are a bevy of pitfalls you can get caught in if you rush too quickly into technology you’re not prepared to handle,” said Vickery.
There are ways for enterprises to see if their data is vulnerable.
Vickery advises once a month to have one of the IT members of an enterprise go home early and see if they can access any of the cloud storage websites that contain sensitive data without special access. If they can get in, so can other people.
Vickery said if every enterprise did this, he would be out of business.
Cloud apps analytics company Netskope founder and CEO, Sanjay Beri, said he sees these types of leaks all the time as his company works with enterprises to ensure their cloud storage is safe and secure.
Beri said in order for enterprises to be secure, they need to make sure that everyone that works for them is on the same page. If an enterprise uses multiple cloud storage systems and its contractors use different ones, the enterprise's IT department needs to know about it so they can make sure it is just as protected.
According to Beri, only 10% of the 25,000 different cloud storage systems out there are suitable for enterprises to use. The other ones don't have the right protections available.
However, Verizon's data leak is not a reason to not use cloud servers to store data.
“The worst thing you can do is to look at this and say ‘Oh my god, I can’t use the cloud!’” said Beri.
Follow USA Today's Madeline Purdue on Twitter, @madelinepurdue.