Verizon Confirms Breach Affecting Business CustomersIncident Reportedly Affects 1.5 Million Verizon Enterprise Clients
Verizon Enterprise Solutions, which regularly assists clients in responding to data breaches, admits it's suffered its own breach, reportedly affecting 1.5 million business customers. As a result of the exposure of contact information, those customers are now at greater risk of phishing attacks.
In a statement provided to Information Security Media Group, Verizon says: "Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers."
Verizon says that "no customer proprietary network information ... or other data was accessed or accessible. The impacted customers are currently being notified." The company adds that no data about consumer customers was involved.
Verizon did not immediately respond to an ISMG inquiry for more details regarding the breach, including the nature of the "security vulnerability" exploited to commit the intrusion, or the number of customers impacted.
The security blog Krebs on Security, which first reported on the incident March 24, says "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise."
The blog reports: "The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents."
The seller priced the entire Verizon package of stolen data at $100,000, "but also offered to sell it off in chunks of 100,000 records for $10,000 apiece," according to the blog. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site."
Annual Breach Report
Verizon annually compiles and releases a report analyzing breaches across many industries.
In its most recent annual Verizon 2015 Data Breach Investigations Report, issued in April 2015, the company said it analyzed nearly 80,000 security incidents, including more than 2,100 confirmed breaches.
In an interview last year with ISMG about the 2015 report's key findings, Bob Rudis, a security data scientist at Verizon, said that while attacks are growing in sophistication, many intrusions still rely on tried-and-true social engineering techniques, such as phishing, adding that far too many attacks are successful because organizations have failed to patch known vulnerabilities.
A Prime Target
Mac McMillan, CEO of security consulting firm CynergisTek, says it's not surprising that attackers targeted Verizon, a high-profile security vendor. "What Verizon does - its services and security being a big component - makes the company a huge target," he says. "They get [targeted for] attacks far more than the average company, and finally someone pierced their armor."
Tom Walsh, founder of the consultancy, tw-Security, stresses: "Even when you know you have a good security program in place, it doesn't mean that an organization is immune from a cyberattack. One careless mistake by humans - users, application programmers, network engineers, etc. - may be all that is needed for an attacker to exploit. "We need to get it right 24 x 7 x 365. Hackers only need to get it right once. In the long run, the odds are in their favor."
In the end, the breach is a reminder that all organizations need to have an appropriate incident response plan in place for when the inevitable occurs, Walsh says. "We need to conduct cybersecurity tabletop exercises and drills. Because sometimes it's not the event, but your reaction to the event, that people remember the most."