NEW YORK — A security lapse has exposed data from millions of Verizon customers, leaking names, addresses and personal identification numbers, or PINs, according to a security researcher.
Verizon (VZ) said 6 million customers were affected, but the company said that none of the information made it into the wrong hands. The company said the only person who got access to the data was the researcher who brought the leak to its attention.
It is unclear, however, how Verizon determined that information.
ZDNet reported that as many as 14 million customer records were on an exposed and unprotected Amazon S3 cloud server for the past six months. Anyone who had the web address could download the data, ZDNet reported.
Chris Vickery, director of cyber risk research at UpGuard, found the leak in late June. UpGuard said the problem stemmed from a cloud server that a third-party vendor had misconfigured.
Exposing just two pieces of customer information, such as a name and phone number, can be potentially disastrous because a third party could use that information to break into someone's account. Justin Williams, an AT&T customer, was the victim of such a scam last week, per ZDNet. He ended up having money withdrawn from his bank account, he said. (The phone company later repaid him.)
Verizon's breach is not a wireless issue, but is related to a residential and small business wireline self-service call center portal, the company said.
Gartner analyst Avivah Litan said the issue comes down to human error and it doesn't make sense to blame cloud service providers like Amazon and Google. She said such lapses are likely common, but it's hard to know since we only know what's disclosed.
This story has been updated.