Verizon Enterprise Customer Data Up For Sale
For most companies, having hackers steal their customer data from a web portal would certainly be a difficult event to deal with. But for the enterprise telecommunications unit of Verizon, it’s a much more painful, if not embarrassing business situation. In what could be this year’s biggest black-eye in cybersecurity; how could Verizon be a victim of such a large breach when many government agencies and most of the fortune 500 protect their data in large part with Verizon services?
What makes this event even more ironic is that Verizon is the author of the annual Data Breach Investigations Report (DBIR), (this years report is not published yet) which collects and analyzes thousands of breaches every year. This is a very informative report that many within Information Security rely on this report to keep up to date with identifying possible system and software vulnerabilities. It will be interesting to see if Verizon includes this event in the next report. As stated on the Verizon Enterprise website:
Prepare by learning all you can from the latest data on threat patterns and the anatomy of attacks. Recognize where your organization is most vulnerable, where opportunity for data loss is greatest, and how it can be controlled and prevented.”
Krebs on Security, a leading reporter on cybersecurity issues, reported that it discovered advertisements for the sale of a database records on over 1 Million Verizon customers being sold in batches of 100,000 records for $10,000 each. The seller was also offering information on the website vulnerability. Soon after, according to Verizon, the security vulnerability was discovered and remediated on their enterprise client portal. According to a company statement “No customer proprietary network information (CPNI) or other data was accessed or accessible”. With that we would assume that proprietary Social Security numbers were not accessed in this breach.
What Happens Next?
The impact of this breach, however, is potentially substantial even without SS#’s being found. Depending upon the extent of information sold, Verizons own enterprise customers, who looked to them for protection, could now potentially be open to attacks on multiple levels starting with targeted spear pfishing attacks.