A database containing the contact information of some 1.5 million Verizon Enterprise customers has been offered up for sale following a data breach.
Security blogger Brian Krebs has described how a member of a “closely guarded underground cybercrime forum” recently offered for sale a database containing the contact information of 1.5 million Verizon Enterprise customers.
Verizon Enterprise is a branch of the well-known telecommunications company that develops business solutions designed “to move large amounts of information from one location to another, reliably and securely” and “deflect sophisticated hacker attacks.”
Krebs goes on to note that the forum member is currently selling the whole kit and caboodle for US $100,000, though he would be willing to sell parts of the database off individually for US $10,000.
The telephone and Internet service company has issued a statement in which it attributes the breach to a security flaw that its teams have since remediated:
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
CPNI is the type of data commonly collected by telephone companies including the time, date, and duration of each call placed on its network.
As of this writing, Verizon has not directly commented on how the database was compromised.
But that has not stopped some from postulating.
One clue could be the fact that the database is up for sale in the MongoDB database format – suggesting that the attackers used the MongoDB platform to empty the contents of Verizon’s database.
This sheds some light on what type of vulnerability Verizon’s teams may have discovered.
Deral Heiland, global services research lead at security and analytics firm Rapid7, described to SC Magazine what they believed may have happened:
“[The attackers] apparently offered to sell information about vulnerabilities within the website. This initially leads me to believe that the most likely cause of the break-in was probably a SQL injection vulnerability. If MongoDB was being used, this is known as a NoSQL database and traditional SQL injection attacks will not work, although NoSQL databases are still subject to injection attacks, which can be leveraged to extract data from the MongoDB.”
As Verizon Enterprises says in its own promotional video, “organisations need to rethink their patching strategies”:
Regardless of the nature of the security flaw, it is certainly ironic that Verizon Enterprise – which is well known for its annual report on the latest trends in data breaches – itself experienced a breach.
Ultimately, the exposed contact information does not appear to pose too much of a risk – at least not as a direct consequence of a security incident.
However, as Adam Levin, chairman and founder of identity protection firm IDT911, told SC Magazine, those affected by the breach will need to be on the lookout for scams:
“Customers who have been exposed are now prime targets for targeted phishing attacks. They must be careful not to click on suspicious links or authenticate themselves to anyone who contacts them, lest they become unwitting co-conspirators in the theft of their own identities.”
If you are a Verizon Enterprise customer, be on your guard for suspicious emails and calls that ask for your personal information.
As for Verizon Enterprise itself, I’m sure the unit will have fun writing about this incident in its next data breach report.
Verizon are going to bury this – they're ashamed.