25 March 2016, USA : Verizon’s annual data breach investigation reports are excellent looks at how cyber attacks happen and how to defend against them, so one would expect Verizon’s own cyber defenses to be effective. But nothing is completely hacker-proof yet, as Verizon itself has learned.
Verizon Enterprise Solutions has been dealt a painful blow by a data breach, in which hackers stole and attempted to sell customer data. The thief took off with the contact information of approximately 1.5 million Verizon customers, and has put it up for sale on an underground cybercrime forum, asking for anywhere from $10,000 to $100,000, depending on the amount, as well as offering to sell information about Verizon’s security vulnerabilities.
The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.
Contacted about the posting, Verizon Enterprise told KrebsOnSecurity that the company recently identified a security flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents. Verizon has not yet responded to questions about how the breach occurred, or exactly how many customers were being notified.
The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).
According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.
Source : krebsonsecurity.com