Why it took more than a week to resolve the Verizon data leak
A communications breakdown and a vacationing employee were the reasons it took more than a week to close a leak that contained data belonging to 6 million Verizon customers, according to Chris Vickery, the cybersecurity researcher who discovered the breach.
Verizon said last week that an employee at one of its vendors, NICE Systems, had accidentally made the data available to anyone who had the public link to the cloud.
Vickery said he found the leak June 8 while he was in the middle of dealing with a GOP contractor leak of voters’ data. When that died down, he said, he was able to take a closer look at Verizon’s data and realized that it needed immediate attention.
Vickery said that on June 13, he called a Verizon employee on the cyber team whom he had worked with on similar issues. He said he left a voice mail saying that he had found a very serious leak and needed to discuss it.
A week later, when he went to check on the leak, he found that it had not been closed. He emailed Verizon’s cyber emergency team about the leak, warning that the data should be closed off and noting that he had flagged them about it a week ago, he said.
“That must have rattled some cages,” he said, because the cyber response team responded soon after.
They told him that there was a breakdown in communications and that the issue would be addressed, Vickery said.
That same day, Vickery also received a response from the Verizon cyber employee he had initially reached out to. He told Vickery that he was on vacation during that time but had passed the message on to the cyber response team.
“If they couldn’t shut it down immediately they needed to put stopgaps in place somewhere,” Vickery said. “It should be as simple as pulling a switch to take it down if it was just a debug server.”
Verizon said in a statement to the Washington Post that the cyber response team notified NICE, which is based in Israel, and closed the leak within 24 hours of Vickery’s email June 22.
“The informal contact did not drive the action we would have wanted to see and we are reviewing opportunities for improving our handling of such contacts,” company spokesperson David Samberg said of how the issue was initially flagged.
NICE Systems did not immediately respond for comment.