Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.
Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.
Contacted about the posting, Verizon Enterprise told KrebsOnSecurity that the company recently identified a security flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents. Verizon has not yet responded to questions about how the breach occurred, or exactly how many customers were being notified.
The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).
According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.
It’s a fair bet that if cyber thieves buy all or some of the Verizon Enterprise customer database, some of those customers may be easy marks for phishing and other targeted attacks. Even if it is limited to the contact data for technical managers at companies that use Verizon Enterprise Solutions, this is bound to be target-rich list: According to Verizon’s page at Wikipedia, some 99 percent of Fortune 500 companies are using Verizon Enterprise Solutions.
So… one wonders if we will be seeing Verizon on the next DBIR.
First affected by hacked Life Lock…Now Verizon who denies knowledge of being hacked…seems class action lawsuit is indicated.
They denied knowledge? That doesn’t appear to be the case.
Someone got my info and tried to order a replacement device. I received a text about my order being processed and called right away. They said someone from Miami was trying to order the device.
Shodan shows numerous mongodb installations on their network. It wouldn’t surprise me if they didn’t have it password protected as it seems to be common practice.
OK, who let the stream-of-consciousness bot off its leash?
4 spam messages in quick succession (I hope Brian has deleted them before you read this) – those usernames are clickable links, always a bad sign. Whenever this happens I always suspect that Brian has hit a nerve somewhere and this is a knee-jerk reaction.
someone is mad at krebs and spamming him lightly. No controls on posting gets you this.
We’re an enterprise healthcare company with Verizon…should I be notifying our users about this? Is this something we need to be concerned about and at what level?
Was Krebs hit by a bus or something? There’ve been no new top-level posts here in over a week.
It does seem curious, I agree.
Krebs got hit by the bus with Verizon add on it .
What is the Catholic attitude toward cyber war? “The Church’s teaching on cyberwar and peace establishes a strong presumption against cyberwar which is binding on all.”
Now that it’s a month since your post about Verizon, have they finally announced how many were affected and made their remediation plan public?
As the source of the respected Verizon Data Breach Investigation Report, they have a wider audience than a small Iowa grocery that may or may not have been hacked.
Verizon, the community looks to you as an example, so BE AN EXAMPLE OF HOW TO DO THINGS RIGHT.