About 63,000 Verizon employees were affected by a breach that occurred in September 2023 but went undiscovered for three months.
In a notice to the Maine Attorney General’s Office, the the telecom giant noted that the violation was caused by a internal threat but that it was an “inadvertent disclosure” rather than a malicious one.
The information exposed includes names, addresses, Social Security numbers, gender, union affiliations, dates of birth, and salary information – essentially a social engineering gift package from a phisher.
“[On Sept. 21]a Verizon employee obtained a file containing certain employee personal information without authorization and in violation of company policy,” according to a sample letter to victims filed with the Maine Attorney General’s office. “Immediately after learning of the issue [on Dec. 12], we conducted a review. … At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue.”
Verizon, which offers consumer wireless services, home Internet, IT consulting, business communications, cybersecurity offerings and more, released the following statement in response to Dark Reading’s request for more details on the breach: “Verizon recently discovered that an employee mishandled a file containing certain personal information about certain Verizon employees. At this time, we have no reason to believe that the information has been misused or shared outside of Verizon. We are reporting affected employees and applicable regulatory authorities regarding this matter. Our internal review of this matter continues.”
The service provider said it is reviewing its technical controls to prevent the situation from happening again in the future, but Jim Alkove, co-founder and CEO of identity security startup Oleria and former chief trust officer of Salesforce.com, believes that it is equally important to be aware of the security mentality.
“Today’s news is a perfect example of unintended access and the need for both a cultural shift around access (i.e. less is more; and no, not all executives need access to everything all the time) and a modernized approach to the tools themselves (we need to lean into autonomous technology),” he said in an emailed comment.
The news is coming in progress cyber attacks against telecommunications operators; and also Verizon’s second data breach incident in less than a year. Last March, 7.5 million wireless customers were affected when their information was discovered for sale on the Dark Web; the supplier claimed that a third party supplier was to blame.