Monday, December 24, 2012

Verizon not hacked, but customer data real, though months old

It's called a developing story. While on Saturday a hacker named TibitXimer claimed to have hacked Verizon Wireless' systems, and posted 300,000 user records including names, addresses, mobile serial numbers, the opening date of each account, and account passwords, the story has changed over the past 24 hours.

It appears the story was false -- although the data was not.

On Twitter, TiBitXimer -- whose account has now vanished -- claimed that he had managed to download three million user records. After Verizon allegedly ignored his report of the security hole, TibitXimer leaked approximately 300,000 of these customer records by uploading them to Pastebin on Saturday.

Or so he said.

Pastebin is frequently used for hacker leaks, so that makes sense. But the Pastebin post has been deleted, just as TiBitXimer's Twitter account has. In addition, the data was not from Verizon Wireless (TiBitXimer later said they were records from Verizon FiOS customers).

Verizon first said the data wasn't Verizon data. The company said:
This incident was reported to the authorities when we first learned of it months ago and an investigation was launched. Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported.

We take any and all attempts to violate consumer and customer privacy and security very seriously, so we notified individuals who could potentially have been impacted and took immediate steps to safeguard their information and privacy. Verizon has also notified law enforcement of this recent report as a follow-up to the original case.
However, at least some of the data was confirmed by Verizon customers. Which left the question, where did the data come from, if no Verizon systems were breached. Verizon had the answer:
There was no hack, and no access gained. A third party marketing firm made a mistake and information was copied. As for wireless v. wired customers, some of the individuals listed were Verizon customers who are not wireless customers but wired/wireline customers or prospective customers.
In other words, Verizon's systems weren't breached and the company wasn't hacked. At the same time, however, the data was real, and the unnamed marketing firm was at fault.

Does that make any of you Verizon customers a) happier or b) more confident?



No comments: