An enterprise-focused division of Verizon was the victim this week of a breach that culminated with a hacker offering to sell the customer data that was stolen. The hacker was reportedly a well-known member of an underground cybercrime forum. He or she started a new thread on the forum offering a database containing the contact information on about 1.5 million customers of Verizon Enterprise Solutions, the B2B arm of the telecommunications company.
The seller asked $ 100,000 for the entire package of data, or $ 10,000 each for groups of 10,000 records. Also offered was the option to purchase information about security flaws in Verizon’s Web site. The seller offered the data in multiple formats, including the database platform MongoDB, possibly indicating that the hacker forced a MongoDB database at Verizon to unload its contents.
Lesson To Be Taught
The breach was first reported by cybercrime expert Brian Krebs on the KrebsOnSecurity Web site. Verizon told Krebs that it had identified the security flaw that led to the breach and was contacting customers who may have been affected. Verizon Enterprise Solutions has numerous Fortune 500 companies among its clients — about 99 percent, according to Verizon’s Wikipedia page. Verizon said that no customer proprietary network information was accessed. However, Verizon didn’t say how the breach occurred, or how many customers were being notified.
We reached out to analyst Jon Oltsik at Enterprise Security Group (ESG), who said the irony of a breach at a company that preaches security was hard to miss.
“It’s a classic case of the cobbler’s children [having] no shoes,” says Oltsik, who focuses closely on cybersecurity. “I’m sure Verizon thought its network was protected, but it goes to show you that one oversight is all a sophisticated cyber-adversary needs.”
Oltsik added that while Verizon may be subject to criticism now in the enterprise security world, there are ways of making something positive out of the breach.
“If I ran marketing [at Verizon], I would turn this issue around,” he says. “I would come clean with the world on what happened, describe the advanced resources that Verizon puts into security, and pitch a message of, ‘If this could happen to us, it could happen to anyone.'”
Breach Experts
Verizon Enterprise’s annual Data Breach Investigations Report is highly regarded because of case studies from interesting and unusual breaches. In a 2015 report on data from more than 70 organizations, Verizon Enterprise said that the average cost to a company of one breached data record was 58 cents, although the asking price for stolen data can range well into thousands of dollars. Verizon also said in that report, though, that the time it takes to uncover data breaches has reduced drastically over the years.
“The key is to avoid denial and hiding the facts,” says ESG’s Oltsik. Rather, Verizon should share this experience with the world and use it as a teachable moment.”
