Verizon claims data breach report was overblown

embedded systems, IoT, security

Verizon is fighting back against claims made in a ZDNet report that there was a large breach of its customers’ data, telling other media outlets that no loss or theft of customer information occurred.

There were nearly 14 million subscriber records who called Verizon’s customer service department in the past six months that were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems.

The data, according to the report, was downloadable by anyone with the easy-to-guess web addresses.

RELATED: Verizon data breach report reveals phishing, ransomware issues jumped in 2016

"As a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," a Verizon spokesperson told CNBC on Wednesday, in a subsequent report. "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."

Verizon said Nice was tasked with helping the service provider improve the self-service portal for customers and required the customer data for the project. The company confirmed that the only access to the cloud storage area by a person other than Verizon or its vendor was the researcher who brought this issue to the company's attention.

All of the customer records over the last six months were stored in log files that were generated when Verizon customers called customer service.

Customer interactions with Verizon’s customer service staff are recorded, obtained, and analyzed by Nice. Nice said it can "realize intent, and extract and leverage insights to deliver impact in real time." Verizon then uses that data to verify account holders and to improve customer service.

Verizon said that the "overwhelming majority" of the data "had no external value," although there was a limited amount of personal information included, such as mobile phone numbers for customer contact purposes.

The service provider added that the number of subscriber accounts reported by ZDNet was overstated, and the actual number was around 6 million unique customers.

"We regret the incident and apologize to our customers," Verizon said in a statement.

Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, alerted Verizon of the exposure shortly after it was discovered in June.

However, it took over a week before the data was eventually secured, according to the ZDNet report.

Verizon’s data issue got the attention of Ted Lieu, a Democratic congressman, who said the exposure was "highly troubling."

"I'm going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn't happen again," he told ZDNet.