The American telco Verizon has been found leaking customers’ information, potentially for months, due to a flaw in a chat system on its website.
Verizon has been leaking addresses, phone numbers, account numbers, and other personal information through a chat window on its website that erroneously displayed conversations between the firm’s employees and customers.
The personal details appear when users click on a link to chat with a Verizon representative about the availability of Fios, the telco’s bundled Internet access, telephone and television service that operates over a fiber-optic communications network.
“The transcripts include full names, addresses, phone numbers, account numbers (in the event they already have an account), and various other information,” reports Ars Technica, which alerted the company to the flaw.
The site has published a number of redacted screenshots as evidence of the flawed chat system.
Some of the transcripts viewed by the news outlet reportedly date back to June, meaning the leak has been months in the making.
Ars Technica held off reporting the flaw hoping Verizon would address it in due time. The publication decided to move forward with the story after noticing that the leak was still ongoing almost a week after its discovery. The reason? “To alert people who may use the service that this data is being exposed,” according to the report.
Verizon acknowledged the flaw this week, telling customers, “We’re looking into an issue involving our online chat system that assists individuals who are checking on the availability of Fios services. We believe a small number of users may have seen a name, phone number, and/or a home or building address from an unrelated individual who had previously used this chat system to enter that information. Since the issue was brought to our attention, we’ve identified and isolated the problem and are working to have it resolved as quickly as possible.”
The statement was issued Thursday morning. As of today, the flaw seems to have been addressed.
While some US states, like California, have stringent data protection laws comparable to Europe’s GDPR, most don’t. It will be interesting to see how Verizon will answer to regulatory bodies for this blunder. Had this error occurred under the European Union’s watch, Verizon would have paid through the nose, both financially and reputationally.