verizon data might have been leaked!Another day, sadly, means another opportunity for another data breach. In what appears to be the result of a major oversight, it has been reported that a server containing Verizon customer data was exposed to the open Internet for an unspecified amount of time. Verizon released a statement about the incident on July 12, but the company was alerted to the issue on June 13 by security researcher Chris Vickery, who also discovered the RNC data leak. While Verizon’s security issue was solved last month, the damage has long been done – although it’s not completely clear what the extent of the damage is. Keep reading as we elaborate about the Verizon data leak and what you can do to protect yourself.

Why was the Verizon data exposed?

One of Verizon’s third-party service providers, NICE Systems, misconfigured a server where Verizon customer data was stored. This misconfiguration essentially allowed anyone to access the server from the Internet like a regular website, provided they knew the URL. While many reporting on the incident have called it a “data breach,” the term might be misleading, as a breach implies that information was actively read and taken by specific actor(s). This situation is more akin to a data leak, where tidbits of private information are accidentally leaked out or exposed due to some technical error. In this regard, this Verizon incident is fairly similar to last year’s Cloudbleed, or even the aforementioned RNC leak. Just like these incidents, it isn’t clear if anyone could have (or did) exploit this leak to their advantage. Verizon claims that no data has been lost or stolen, but not everyone is convinced that this is true.

What information was exposed?

The information contained in the data base is fairly extensive. Some of the records included customers’ names, cell phone numbers, street addresses, email addresses and, in some cases, account PINs. Some portions of the records were partly redacted or encrypted, as Vickery couldn’t read all of the information, but he estimated that the number of accounts affected by this could be close to 14 million. Verizon disputes this and, after its own internal investigation, said in both a statement to CNN and a press release that the number is actually 6 million. Verizon’s release also notes that there’s no evidence to suggest anyone other than Vickery accessed the database. Finally, the customers affected seem to be Verizon’s wireline customers (likely small businesses and residents using services like FiOS), not Verizon Wireless customers, as many news stories suggest. Furthermore, only wireline customers who have called customer service in the last six months were included in the server. Those who spoke with representatives in person or those who spoke with representatives over the phone more than six months ago don’t seem to be included on this server.

Should I be worried about my information leaking?

While there’s no evidence to suggest that anyone viewed the database, for many, it’s still a concern because good hackers know how to erase their presence. While this leak could’ve only been exploited by someone who knew about it, a scenario which security researchers often refer to as security by obscurity (or sometimes just bad security), this usually doesn’t end up ensuring a system remains untouched by hackers. The reason why security by obscurity, at least alone, doesn’t work is that the modern Internet is easy to navigate. For example, in a previous post, we briefly talked about an Internet of things search engine, Shodan, which is often called the Google of things. Shodan can find devices and servers which have poor security settings that expose them to the Internet. This means that hackers don’t necessarily have to plan and pick out targets deliberately – they can find “obscure” targets like they can find any others.

What should I do?

As a consumer, the rule of thumb is that any time information is compromised, even if only indirectly, it’s a good idea to take it as a sign to change your passwords, change any PINs associated with the accounts and – if you’re really security-minded – consider investing in identity theft protection, which will help you keep tabs on who is using your identity. Since there’s no way you can change your name and (most likely) address, the next best thing is to try and monitor your identity. Keep in mind that hackers can sit on information for years before they try and sell it in online black markets, and since data leaks are nothing new, there’s no harm in having identity theft protection.

The good news out of the Verizon data leak is that no source claims that social security numbers were stored on the server, so no one has to worry about the more severe and financially damaging types of schemes often used to open fraudulent credit accounts. Still, your name, address and Verizon PIN can be used in social engineering schemes to fool customer service representatives into giving up your personal information to someone pretending to be you, or to fool you into giving up information thinking you’re talking to a Verizon representative, which is why you likely want to at least change your Verizon PIN and password. While things aren’t as bad as they could be, this incident definitely isn’t anything to take lightly.

For more information on data breaches and other types of news impacting your online security, keep reading our identity theft protection blog.