More than 63,000 Verizon employees — about half the company’s workforce — were victims of a data breach resulting from a staff member gaining unauthorized access to a file containing personnel records.
In a letter sent to affected employees, the U.S. telecommunications and media giant said the staff member obtained the file around Sept. 21 last year “without authorization and in violation of company policy.”
Verizon Communications Inc., which employs about 117,000 staff, discovered the breach on Dec. 12.
The types of detail held in the file varied between the affected individuals, but could include name, address, Social Security number or another national identifier, gender, union affiliation, date of birth, and compensation information.
“At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue,” the letter said.
“We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter.”
Breach not considered malicious
According to a data breach notification filed with the Office of the Maine Attorney General, 63,206 individuals were affected by the breach which was described as “inadvertent disclosure, insider wrongdoing.”
A Verizon spokesman said an internal review of the incident was ongoing but there was “no indication of malicious intent” on the part of the staff member involved. As a result, the company had not referred the matter to law enforcement.
The “vast majority” of those impacted were current Verizon employees, while a small number were former employees who had left the company after the breach occurred.
Verizon has arranged to provide complimentary credit monitoring and identity protection services to affected individuals for 24 months through Allstate Identity Protection.
The last time Verizon was in the news because of a security breach was in October 2022 when threat actors obtained access to the last four digits of the credit card numbers its customers were using to make automatic payments on their accounts. The stolen data was later used in SIM swapping attacks.
How to deal with insider threats
The latest Verizon security breach falls into the category of an insider threat, which the Cybersecurity and Infrastructure Security Agency (CISA) describes as an “intentional or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.”
Whether they are carried out by disgruntled employees or (as appears to be the case with Verizon) occur unintentionally, researchers say insider threats pose a growing risk to organizations. According to research by Kroll they accounted for nearly 35% of all unauthorized access threat incidents in 2022.
According to CISA’s Insider Threat Mitigation Guide (PDF), organizations should develop an insider threat mitigation program tailored to their specific culture, taking into account the critical assets they needed to protect and the threats they faced.
“Build a culture of reporting and prevention that establishes and reinforces a positive statement of an organization’s investment in the well-being of its people, as well as its overall resilience and operational effectiveness,” the guide said.