Data for millions of Verizon users was left unprotected on the internet recently, allowing anyone who knew the web address to access the records.
The sensitive information was first discovered by UpGuard, with the site's Director of Cyber Risk Research Chris Vickery finding the data on Amazon Web Services cloud storage.
UpGuard said names, account details, addresses and verification PIN numbers were all vulnerable.
This data was not being stored directly by Verizon. Instead, it was handled through a third-party vendor called NICE Systems, an international company that does back-end business data and security work.
According to ZDNet, the customer data was from people who had called a customer service line in the past six months.
Verizon confirms – but says no customer info was stolen
Verizon in a news release confirmed that yes, customer data was left semi-out in the open on a server. But the company stressed that there's no record of anyone accessing the data aside from Verizon, NICE Systems, and the researcher who brought the issue to the company's attention.
"In other words, there has been no loss or theft of Verizon or Verizon customer information," the release said.
The company also takes issue with what exactly was vulnerable. Verizon claimed most of the info didn't have any value to people, though admitted there was "a limited amount of personal information" there. No Social Security numbers or voice recordings were stored on the server, however.
Verizon also said there was a "limited number" of cell phone numbers there, and the PINs could only be used when someone called the help center to verify their identity – they don't allow online account access or anything.
UpGuard initially said the personal information of up to 14 million people was vulnerable, but Verizon called that "overstated," and pegged the figure at about 6 million "unique customers."
"Verizon is committed to the security and privacy of our customers. We regret the incident and apologize to our customers," the response concluded.
UpGuard, though, said the entire incident – even if nothing was taken – is a "potent example of the risks of third-party vendors handling sensitive data." Basically, if some other company has your important data, it's only as secure as that company makes it.
That's what reportedly led to the Target data breach in 2014. Cybersecurity writer Brian Krebs said the hackers gained access to Target’s network using credentials stolen from a Pennsylvania refrigeration company that has worked at a number of Target locations.