Skip to main content

Major Verizon Data Breach: What to Do Now

UPDATED 8:20 a.m. ET Thursday (July 13) with a statement from Verizon.

Have you called Verizon customer service in 2017? Better change your account personal identification number (PIN), if you have one.

Credit: DayOwl/Shutterstock

(Image credit: DayOwl/Shutterstock)

Verizon told CNN that personal information pertaining to six million customers, including names, street addresses, email addresses, telephone numbers and account PINs, had been left exposed in a database on a third-party cloud server for an undetermined length of time.

UpGuard, the information-security company whose researcher, Chris Vickery, found the exposed database, contended in its report today (June 12) that the number of affected Verizon accounts might be closer to 14 million.

MORE: What to Do After a Data Breach

The unprotected cloud server was operated by NICE, an Israeli firm that handles customer-service operations for many large American companies.

Vickery, who specializes in finding unprotected data online, stumbled across the database by guessing its web address. He said it contained logs of Verizon customer-service inquiries beginning in January 2017.

Vickery notified Verizon of the exposed database on June 13, the UpGuard report states, but the database was not fully secured until June 22. There is no evidence that anyone other than Vickery accessed the data — but on the other hand, there's no evidence that no one did.

Although the logs made reference to voice recordings of customer-service calls, the UpGuard report said Vickery found none on the server.

It was not immediately clear whether the customer database pertained to Verizon wireless, landline or business customers, or a combination of any of the three.

Last month, Vickery revealed that he'd found data pertaining to nearly every registered U.S. voter on an unprotected online database run by a political analytics firm. That was the second time he'd done so. Last year, he found data pertaining to nearly 2,000 children in a server run by a parental-monitoring software firm.

Vickery also found data on the NICE server pertaining to Orange, a French cellular carrier that has operations in two dozen countries in Europe, the Middle East and Africa. That data appeared to be less sensitive.

UPDATE: Verizon has released a statement that reads, in part:

"We have been able to confirm that the only access to the cloud-storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."

The statement goes on to imply that the telephone numbers involved are primarily from residential and business landlines, and that "the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts."

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.