SAN FRANCISCO – Records for more than 1.5 million customers of the computer security wing of Verizon, Verizon Enterprise Solutions, appeared for sale earlier this week.
This Verizon unit aids large corporations when they’ve been the victims of a hack. Now the company itself has been breached.
According to Brian Krebs, a respected computer security writer, the entire database was offered up for $100,000 on a “closely guarded underground cybercrime forum,” or in increments of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.
In an emailed statement, the company said, “Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers.”
The company noted that no data about consumer customers was involved.
In an irony not lost on the computer security community, Verizon Enterprise Solutions each year writes one of the most widely-read annual data breach investigation reports.
The attack “shows that even those that report security vulnerabilities are susceptible to exploits,” said Brad Bussie, director of product management for STEALTHbits Technologies.
“With 99 percent of the Fortune 500 using Verizon Enterprise Solutions, the compromise of 1.5 million customers’ contact details could have a huge payday for hackers. Stealing contact information doesn’t have the immediate payoff of a credit card number, but in the long term can be extremely lucrative if leveraged correctly,” said Vishal Gupta, CEO of the security company Seclore.
While the breach only included basic contact information about Verizon Enterprise Solutions customers, it’s of concern because of whose those customers were, said Dodi Glenn, vice president of cyber security at PC Pitstop.
“A lot of Fortune 500 companies use Verizon Enterprise Solutions — makes you wonder if some of those who purchased the data may have plans to use the information to start phishing attacks, since it contains information from companies with lots of money,” he said.