2008 06 07
Verizon Wireless bill archive security glitch

Second Update

In the end, Verizon sent me a letter notifying me that there was a security glitch with the bill archive section of the site. It noted that although the chance of my personal information getting into someone else’s hands was small, their system indicated that I used bill archive during the period in which the system was compromising information.

I would say that it was exactly the letter I would have written, had I been in charge at Verizon. So, a happy ending to that episode.

End Second Update

Update (Monday, June 9th):

OK, just got off the phone with someone from Verizon. I think the blog post got their attention pretty quickly. (He told me they found the post first, and then matched it to the ticket I had opened about the issue later.) I sensed a bit of frustration on his part that I concluded so quickly that they weren’t serious about the problem. At any rate, he reassured me that the technicians were working as quickly as possible to fix the problem, and that the entire bill archive would be taken down at 5pm today until they were sure it was fixed. He also reassured me that Verizon cares very much about privacy. I said I was happy to update the post with that information.

I asked if they planned to issue any public notice about this, and he said that this was up to the public relations people, and he wasn’t sure if they had decided anything.

So, there you go.

End Update

On Thursday morning, I was trying to access some old cell phone bills online at www.verizonwireless.com. As I clicked through the months, most of the time the correct bill came up (as a pdf). But twice for some reason verizonwireless.com served up someone else’s bill. The first time I just absentmindedly clicked away and tried again. But the second time it occurred to me that there was something really squirrelly about the fact that I was able to access some other random dude’s bill. I could see all the calls that this guy made in September, 2007, his account number, and the fact that his bill was past due that month. That’s hardly the biggest security breach in history, but it’s also a legitimate concern for people who care about their privacy, and rely on companies to take reasonable steps to secure personal information.

I spent 30 minutes on the phone with Verizon trying to get someone to understand that there was clearly some technical glitch on their end, and that it raised a privacy issue (and a potential legal issue for them). The first person I talked to tried to duplicate the effect, failed after trying once (for each month), and then tried to get rid of me. I pointed out that usually when I requested my bill, it did serve up the proper pdf. The problem clearly wasn’t resulting from a permanently misaddressed pdf file. Rather, something was getting tangled up when the pdf requests were generated or processed by the server. I insisted she transfer me to someone else, who then transfered me to someone else, who then promised me that someone would call me back with an explanation. No one has called yet.

I also made them promise to call this guy and tell him that someone else had been able to view information that should have been kept private, but about 5 minutes after I got off the phone with them I realized that that was unlikely. So I called the guy up and left a message. He called back a few hours later. No one from Verizon had called him. 10 seconds of googling suggests that he’s a bean farmer in the Midwest. I didn’t ask, but he certainly sounded like a bean farmer. He didn’t seem too pissed off, but he did say he’d give them a call “cause that’s just not right.” He asked where I was calling from and I told him Brooklyn, NY. “Brooklyn! All the way from Brooklyn!” he said, clearly relishing the exoticness of my location. “I’m in XXXX.” I said: “I know! I’m looking at your bill.” And then he thanked me and we got off the phone.

Anyway, if someone from Verizon calls or drops a comment here, I’m happy to update the post with any new information. If I were in charge of this stuff at Verizon, I think it would be reasonable to a) figure out as quickly as possible what’s wrong with the way the server processes requests for archived bills; and b) issue a brief security notice admitting that a few customers had personal information compromised, but that the problem had since been fixed. Until Verizon does both of these things, I think I’m going to continue feeling sort of underwhelmed by their attitude to security and privacy.

Howls of outrage (15)