If you've had to call Verizon customer service recently, you might want to keep a close eye on your data. ZDNet has learned that an employee at a carrier partner, Nice Systems, exposed 14 million residential customer records from the past 6 months on an unguarded Amazon S3 server. As long as you could guess the web address (which reportedly wasn't that hard), you had free rein to download whichever log files you wanted. Each record included a name, cellphone number and account PIN, and only some of it was masked. Thieves would not only have personal info they could abuse elsewhere (such as social accounts that use a phone number for authentication) -- they could impersonate you if they called Verizon later.
A spokesperson for the telecom says that it's investigating the exposure, and acknowledges that there's "some personal information." Verizon had to give the data to Nice to verify customer info, and it was allowed to set it up on the Amazon server, but it clearly didn't intend for that info to be made public. There's "no indication" that the info has been compromised, it claims. That's not going to be very reassuring, though, as it's not clear who (if anyone) downloaded the data while it was public.
Nice will only say that the data was "part of a demo system."
This isn't the first time a big company's data has been exposed online. However, the Verizon incident underscores an important point: data security is only as strong as the weakest link in the chain. If a partner company doesn't guarantee airtight privacy, it's just as dangerous as if the main company had revealed the data itself.