About 63,000 Verizon employees have been affected by a breach that occurred in September 2023 but which wasn't discovered for three months.
In a notice to the Maine attorney general's office, the telecom giant noted that the breach was caused by an insider threat but that it was an "inadvertent disclosure" rather than a malicious one.
The exposed information includes names, addresses, Social Security numbers, gender, union affiliations, dates of birth, and compensation information — basically a phisher's social engineering giftbox.
"[On Sept. 21], a Verizon employee obtained a file containing certain employee personal information without authorization and in violation of company policy," according to a sample letter to victims filed with the Maine attorney general's office. "Promptly after learning of the issue [on Dec. 12], we conducted a review. … At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue."
Verizon — which offers consumer wireless, home Internet, IT consulting, business communications, cybersecurity offerings, and much more — did not immediately respond to Dark Reading's request for more details on the breach.
The service provider said it was reviewing its technical controls to prevent a repeat of the situation down the line, but Jim Alkove, co-founder and CEO of identity security startup Oleria and former chief trust officer at Salesforce.com, believes that it's equally important to be mindful of security mindset.
"Today’s news is a perfect example of unintended access and the need for both a cultural shift around access (aka less is best; and no, not every exec needs access to everything all the time) as well as a modernized approach to the tools themselves (we need to lean into autonomous tech)," he said in an emailed comment.
The news comes amid ongoing cyberattacks against telecom providers; it's also Verizon's second data breach incident in less than a year. Last March, 7.5 million wireless customers were affected when their information cropped up for sale on the Dark Web; the provider said a third-party provider was to blame.