On Wednesday, news first broke about the potential data leak of between 6-16 million Verizon customers. The data leak was caused by a misconfigured privacy setting on a cloud storage server. Verizon has now acknowledged that the user data was vulnerable but has since been secured.
The security incident was discovered by cybersecurity firm UpGuard, and is the result of human error during the server setup process. Because cloud storage is accessible remotely, it is a standard practice to password protect access, especially when dealing with client data. Unfortunately for Verizon, the company they had hired to manage the data left the server on the public access setting. This means that for roughly six months, anyone with a direct link to the server could have viewed the stored information. Since the stored data contained client phone account information, the leak could have potentially devastating results.
Phone security in general is something that is often neglected which should be a frightening concept for anyone familiar with two-factor authentication. The most common form of two-factor authentication comes in the form of a user account password combined with a randomly generated short-term access code. Typically, users will setup their personal cellphone to deliver the access code, which can then be used in conjunction with whatever online account they are trying to access. Most people assume that because they keep their phone with them at all times, that there is very little chance of exploiting this form of two-factor authentication. Unfortunately, the Verizon leak illustrates how easy it would be to bypass the security.
The information that was part of the Verizon data leak contained customer names, phone numbers and their account PIN. If an individual were to gain this information, it would have been enough to access the owners account. From here it would be possible to view all personal account info, change settings and they could even go so far as to request an account transfer.
Account transfer scams or a SIM swap scam, as it commonly called, is where a scammer gains partial access to a cell phone account and uses that information to transfer data rights and more importantly, a phone number to a different device. Once the users account is transferred onto a new device, a scammer gains access to personal email, social media accounts and any other data that was connected to the original device. Mobile authenticators also use a phone number to determine if a user is who they say they are; this means a scammer would also gain access to any account locked behind two-factor authentication.
Since the leak occurred, Verizon claims to have looked into if the storage access logs and has stated that no unauthorized parties viewed the data. Regardless, this should be seen as a wakeup call for users and businesses alike when it comes to phone related data security. Also, while Verizon claims that no data was stolen as the result of this leak, it is advisable to keep a close eye on your personal accounts and report any suspicious activities.