According to TechNewsWorld, UpGuard, a company that makes a business of assessing risk for its clients, last month discovered millions of unsecured Verizon customer records on an Amazon server. UpGuard said there were 14 million records, but Verizon later insisted there were only six million. There’s no evidence that anyone besides UpGuard researchers (who found the records in their unsecured state) even saw any of the data, much less stole it.
As far as anyone can tell, there was no harm done. That the story made national headlines shows just how sensitive we are to privacy issues today.
First, a little background on how the breach occurred. Nice Systems, a vendor of workforce management software, was helping Verizon improve a self-service call center portal, and its work required customer records. A Nice Systems employee put the data into an Amazon Web Services S3 bucket and mistakenly set the storage to allow external access. Nice Systems says it was a simple human error, and reiterated that no outsiders accessed the data. UpGuard, the company that discovered the unsecured records, said the files included personal identification numbers (PINs), along with customers’ names, addresses, and account information.
It was the exposure of PINs that caused the most excitement. UpGuard pointed out that with a customer PIN, a criminal could order new hardware or a SIM card for a phone, which could then be used to defeat two-factor authentication. Verizon, which apologized for the breach, said the PINs were only those used to authenticate a customer calling into a call center and that they could not be used to access accounts.
You don’t need to know who to believe or who to blame in order to know that this had the potential for serious damage. Even if the data, as Verizon suggested, could not be used to subvert two-factor authentication, it certainly could have been used to victimize Verizon customers with robo-calls, a favored vehicle of scammers and criminals.
It seems that every day there is a new way that personal privacy is put at risk. This is a problem, but it’s also an opportunity. If you’re considering a career move, you could do worse than study to be a privacy professional. The International Association of Privacy Professionals (IAPP) was founded in 2000 and has 20,000 members in 83 countries. For the past three years, membership has been growing at an annual rate of 20%. It also runs professional certification programs.
It is also a partner of Logical Operations. Our partnership brings each of IAPP’s certifications, including the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPT), to Logical Operations’ network of over 3,000 training centers worldwide. Courses are two-day, instructor-led training sessions that include textbooks, participant guides, exam vouchers, and a one-year IAPP membership.
The Verizon incident was a momentary headline, with no apparent damage done. But the problems of protecting personal privacy are not going away. We increasingly commit our health data, information about our pastimes and recreation, and social interactions to websites, apps, and wearable devices. When this information isn’t properly secured, it becomes possible for someone to track your movements, know your associations, and learn about your health issues. We need a cadre of privacy professionals to monitor and guide the businesses who collect all this data. Otherwise, the wrong kind of people are simply going to know too much about you.