ZDNet reports that data of more than 14 million Verizon customers were available for download on an unsecured Amazon S3 server.
Apparently, it was log data created within the last 6 months in the Verizon Customer Center from each customer who called. Verizon logs all calls and operations for immediately analyze – Verizon uses the data to confirm the customer account and to improve customer service.
Account, phone, PIN
Each database entry contains the full customer name, cellphone number and account PIN of the respective customer. With this information everyone would get full access to the customer’s account, including all account settings – call forwarding, SIM blocking, applying for new phones or contracts, etc.
Compromised bank account with SMS PIN
In case the attacker also knows more customer’s data, such as bank or credit card it would be even possible to make bank transfers or even buy something in the Internet via bank or credit card. Many banks or credit card companies use SMS PIN for verification of the account. They will SMS during a transfer to the cellphone on record, which must be entered by the customer for verification.
With the data, any attacker has possibility to redirect these SMS with help from Verizon Customer Center to another device.
An employee of the security company UpGuard has found the data end of June found and informed Verizon immediately. It took more than one week until the data was secured.