As news spread today of another potential Verizon data breach incident that exposed millions of customer records, IT security experts commented below.
Willy Leichter, Vice President of Marketing at Virsec:
“This latest incident raises thorny security issues because it seems both careless and suspicious. Obviously leaving 14 million records unprotected is careless and implies a lack of controls, security and governance, in an organization that is entrusted with vast quantities of legally protected personal information. But it’s equally suspicious is that this company with close government ties, a history of supporting surveillance, and phone cracking, would have ungoverned access to sensitive data, and treat security so casually.
Regardless, this will be a heated board-level issue for a $1 billion company like Nice, and a $125 billion-plus company like Verizon. If the European General Data Protection Regulation (GDPR) was in effect (it is starting in May 2018) there could be a fine as large at $5 billion (4% of annual revenue) for this single incident.”
Jeff Hill, Director, Product Management at Prevalent, Inc:
“Eerily similar to the Deep Root Analytics data exposure (GOP vendor that accidentally stored voter data on an unsecured Amazon server last month), the Nice Systems episode underscores the relevance of the age-old aphorism “never attribute to malice that which can be reasonably explained by stupidity.” Visibility into your vendors’ controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors’ custody. Although Hollywood and the evening news have created an often dramatic image of data breaches, replete with clandestine operatives, advanced technology and rogue government organizations, the reality of threats to data in the custody of vendors – as illustrated by both the Deep Root Analytics and Nice Systems examples – can be decidedly more pedestrian…and disconcerting.”
Rich Campagna, CEO at Bitglass:
“This breach once again demonstrates the fact that cloud services like AWS can be secure, but it is up to organizations using them to ensure that services are configured in a secure fashion.”
“This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest. Companies like Verizon must put policies in place that require third-party vendors like Nice to adequately protect any customer data that touches the cloud.”
Zohar Alon, Co-Founder and CEO at Dome9:
“The exposure of highly sensitive information via misconfigurations in public cloud services such as Amazon S3 are becoming far too frequent and the world is taking note. In just the past couple of months we’ve seen first-hand examples of Verizon, the WWE, the U.S. voter records leak and Scottrade expose sensitive information through mismanaged AWS S3 servers. It has become abundantly clear that many users still do not fully understand how to configure S3 buckets to prevent data exposure.
Storing sensitive data in the cloud without putting in place appropriate systems and practices to manage the security posture is irresponsible and dangerous. A simple misconfiguration or lapse in process can potentially expose private data to the world and put an organization’s reputation at risk.
These examples put an exclamation point on the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked. Even with strict security controls in place, it no longer takes an elaborate attack to damage an organizations reputation. Damaging leaks and breaches such as this will continue to rise until there is more of an emphasis on training and technology to address these very basic process failures.”
John Gunn, Chief Marketing Office at VASCO Data Security:
“The fact that no data may have been downloaded doesn’t minimize the risk of instances such as this. Sure, a mid-air miss is better than an air flight disaster, but neither should ever happen. Data such as this can be used by hackers for all types of attacks, especially phishing attacks, by giving them legitimacy in the mind of the victim. We saw this recently with the DocuSign breach and the subsequent successful attacks against their users.”