Boardroom Technology

What the Verizon Data Breach Teaches Us About the Importance of Good Cybersecurity Regulations

An Israeli technology company recently exposed millions of Verizon customer records. The data was downloadable by anyone with the easy-to-guess Web address.

On July 12, 2017, ZDNet reported that as many as 14 million records of Verizon customers were left unprotected. Subscribers who had called Verizon’s customer service within the prior six months were affected. The vulnerable records were found on an unprotected Amazon S3 storage server that was controlled by an employee of NICE Systems, a Ra’anana, Israel-based company.

Shortly after the discovery, the Cyber Risk Team at UpGuard, which focuses on discovering breaches, implementing fixes and developing long-term solutions, reported “that a misconfigured cloud-based file repository exposed the names, addresses, account details and account PINs…The data exposed in the Verizon/NICE Systems cloud leak is, indeed, a testament to how profoundly every aspect of life today is touched by those systems to which we impart so much knowledge.”

NICE Systems, a third-party vendor for Verizon, owned and operated the cloud server. According to CNN, the security breach was caused by “a misconfigured security setting on a cloud server due to human error.” It took over a week before the data was eventually secured.

Where Verizon Went Wrong

A Verizon spokesperson said that it “provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.” One account from a senior Verizon employee with knowledge of the situation said that the company was unaware that the data was being exfiltrated or exported, and Verizon had no control over the server.

The customer records were contained in log files that were generated when Verizon customers placed calls to customer service in the last six months. These interactions are recorded, obtained and analyzed by NICE, which says it can “realize intent, and extract and leverage insights to deliver impact in real time.” Verizon uses that data to verify account holders and to improve customer service.

Washington has taken notice. Congressman Ted Lieu (D-Calif.), who was also a computer science major, said that the cloud leak was “highly troubling” and will ask a Judiciary Committee to investigate. “I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again.” Lieu, also a Verizon customer, said: “I would like to know if my data was breached.”

The Concerns Over Cybersecurity

The Verizon story, not the first and surely not the last, begs the question, “How safe is your cloud-stored data?” Cloud computing means Internet computing. Apple co-founder Steve Wozniak decried cloud computing in 2012, saying: “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.” It is wise to think hard about using cloud computing applications when you are not comfortable using or storing your data on the Internet. While established cloud computing vendors have stressed the efforts that have been made to implement the latest and best data security systems available, data security remains a big concern, and cloud-based systems credibility continues to suffer in the wake of the Verizon and numerous other breaches.

Cloud data is accessible from anywhere on the Internet, meaning that if a breach occurs via hacking, a disgruntled employee or careless username/password security, business data can be compromised. Data breaches continue to impact more companies generally considered secure. One would assume, for example, that the Internal Revenue Service would have one of the most secure systems, but even they experienced a data breach in 2015.

Protection in these instances always comes down to the human element, the rigorous development, implementation and continual senior oversight of excellent security regulations. According to Bitglass CEO Rich Campagna, companies like Verizon must implement policies that require third-party vendors like NICE Systems to protect any customer data that comes in contact with the cloud. According to Campagna, “This breach once again demonstrates the fact that cloud services like AWS can be secure, but it is up to organizations using them to ensure that services are configured in a secure fashion.”

It is hard to imagine an enterprise function where proper safeguards against cybersecurity breaches are more important, or the impact of a breach more severe, than the functions of corporate boards of directors. As a result, over the past decade, cybersecurity has increasingly gained attention in boardrooms around the world. Cyber risk, which has always represented a significant area of enterprise risk, is finally being acknowledged as intersecting with other areas of the board’s oversight, including strategy; operations; and legal, financial and reputational risks.

How to Choose the Right Cloud Storage Solution

In response to this concern, the Diligent Corporation, which “has set the standard for providing the most useful product and responsive service so the world’s boards and leaders can communicate and collaborate securely,” recently partnered with NYSE Governance Services, and conducted a survey of more than 350 corporate directors of publicly traded companies to gain a better understanding of current board communications practices.

The findings of the survey were not surprising. A large number of directors appeared to assume that someone else was minding the cybersecurity store and lacked basic knowledge of the nature of the threat and the ease with which an individual can open the door to a breach in an inadequately secured system. For example, sending private emails to convey board information is still a common practice. The problem for Boards is two-fold: 1) Boards need to be educated about the severity of overall enterprise cyber risk and to assume a greater responsibility in managing that risk, and 2) individual directors must take personal responsibility for assuring that they work within secure parameters with respect to Board activities.

The Diligent Boards platform is a self-contained board solution and possesses stringent regulations to provide both efficiency of use and world-class security for all Board functions.

Featured Blog