When your outsourced security vendor outsources it’s own security…and things go boom.


Verizon is trying to make itself out as a security firm…but they failed to ensure their own outsourced vendor had proper security policies and procedures in place:

An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned.

As many as 14 million records of subscribers who called the phone giant’s customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra’anana, Israel-based company.

Amazon’s cloud does not enable least privileged by default..instead it is an open book by default…which has led and continues to lead to data spillage like this over and over again.  Most of these spillages, as I refer to them, are not breaches.  There was zero authentication required for this data spillage and a majority of the other Amazon based spillages.  Amazon could actually HELP cloud security by doing the best practice of deny all by default..except for the IP address that is currently being used to create the account/instance.

Of course there is no excuse for a “security firm” to have suffered this kind of issue.