From: security curmudgeon (jerichoattrition.org)
Date: Sat Jun 07 2008 - 15:11:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
From: David Farber <davefarber.net>
________________________________________
From: Deborah Alexander [dsalexanoptonline.net]
Subject: verizon archive security glitch?

Dave – for IP-ers, if you think of use...

Scrolling blogs this a.m., I came across a posting that seems interesting
in light of the presumptive Republican Presidential Candidate’s views
about telecoms, privacy and immunity:

From
http://www.explananda.com/

On Thursday morning, I was trying to access some old cell phone bills
online at www.verizonwireless.com. As I clicked through the months, most
of the time the correct bill came up (as a pdf). But twice for some reason
verizonwireless.com served up someone else’s bill. The first time I just
absentmindedly clicked away and tried again. But the second time it
occurred to me that there was something really squirrelly about the fact
that I was able to access some other random dude’s bill. I could see all
the calls that this guy made in September, 2007, his account number, and
the fact that his bill was past due that month. That’s hardly the biggest
security breach in history, but it’s also a legitimate concern for people
who care about their privacy, and rely on companies to take reasonable
steps to secure personal information.

I spent 30 minutes on the phone with Verizon trying to get someone to
understand that there was clearly some technical glitch on their end, and
that it raised a privacy issue (and a potential legal issue for them).

<snip>

[Verizon] promised me that someone would call me back with an explanation.
No one has called yet.

I also made them promise to call this guy and tell him that someone else
had been able to view information that should have been kept private, but
about 5 minutes after I got off the phone with them I realized that that
was unlikely. So I called the guy up and left a message. He called back a
few hours later. No one from Verizon had called him.

<snip>

[ADDED BY WAY OF FOLLOW UP COMMENT]:

I found it sort of interesting from an organizational perspective.
Obviously Verizon gets a lot of calls from a lot of angry or strange
people every day. So they need pretty robust filters, so that upper level
managers don’t have to talk to every crackpot who calls with some issue
that the operators aren’t in a position to properly assess. The result is
that there was apparently no way at all for them to escalate the issue
efficiently and effectively. According to them - and this may well be true
- they just couldn’t get a hold of a supervisor who would be high up and
smart enough to grasp the legal implications of my point, let alone the
privacy and public relations aspect.

<snip>

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]