Hard on the heels of Verizon Enterprise Solutions’ data breach of 1.5 million customer contact details, the news comes that an open database of 50 GB of Verizon data had been discovered, unprotected by any password or authentication.
MacKeeper security researcher Chris Vickery discovered the DB back in December and disclosed it to Verizon. All that was needed in order to access it was a MongoDB client and the IP address.
For its part, Verizon said that the database contained non-sensitive information either already publicly available, or essentially meaningless external to Verizon—and no customer data.
“The vast majority of the data was reference ‘production’ data, including show titles, descriptions, availability and other metadata associated with FiOS programing,” a spokesperson said. “All of this data is available on publicly posted FiOS lineups...and general TV listing sites."
Vickery was nonetheless concerned that, even after a back-and-forth with Verizon’s director of cybersecurity, Jim Matteo, Verizon did little to fix the issue, according to him—prompting Vickery to go public. After notifying Verizon of his intention, he received a response this week.
“I had not heard back from Jim until March 28th, 2016 when the Verizon PR staff heard that I was planning to post this article,” he said, in a blog. “The Verizon PR team claimed that the MongoDB was only a test environment with fictitious customer data, non-sensitive reference material, unique encryption keys and solely used passwords specific to that test environment.”
That was a claim that Vickery disputed, being in possession of 50 gigs of data (now purged), with at least some of the database tables actually marked as being production (i.e. not test data).
“Companies, when caught with their pants down, almost always claim that the exposed data is fictitious, or just a test environment,” Vickery said. “It’s an easy excuse that, if believed, gets them out of a lot of potential embarrassment and liability. I’d say that 90% of the breaches I find are initially denied as just ‘test data.’ But I’d also say that the vast majority of those do indeed turn out to be real breaches in the end.”
Vickery said that Verizon’s Matteo later told him that he was right, and that the situation amounts to a “hybrid breach” scenario.
“It turns out that there was indeed production data here in somewhat of a test environment,” said Vickery. “There had been some kind of service disruption in one of Verizon’s network services around November 6th, 2015. That’s when this test environment was put together and populated with, at least some level of, production data. It was used to troubleshoot and resolve the errors, but then wasn’t properly taken down after the problems were fixed.”
Last week, another MongoDB of VES customer info, including for some of the top Fortune 500 companies, was found up for sale on an underground cybercrime forum, with a price tag of $100,000. Independent security researcher Brian Krebs ran across the information on the Dark Web. He said that while interested parties could buy the whole package, the seller also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Also for sale: information about security vulnerabilities in Verizon’s website.
Though the latest disclosed issue shows no signs that criminals accessed it, and was unrelated to a cyber-attack, “it took them a month to plug the hole,” Vickery said. “It never made the news, but now I wish that I had made a bigger deal out of it. Maybe that would have spurred some changes which could have prevented the breach that Krebs wrote about.”
“This issue is in NOT related to the recent issue reported by Krebs,” the Verizon spokesperson stressed.