A household name among American media companies, Verizon Communications on Wednesday began notifying employees that an insider may have gained access to their data. According to the breach notice to the Maine Attorney General, an unauthorized employee opened a file containing sensitive data of 63,206 other employees.
While customers are not believed to have been impacted in this breach, Verizon is warning that the exposed employee data could include Social Security Numbers, National Identifiers, full names, home addresses, DOBs, compensation information, gender, and union affiliations.
The unauthorized employee initially gained access to this document in September 2023, but Verizon did not discover the incident until December, almost 3 months later. At this time, it is unknown what the unauthorized employee may have done with the data, or if they intend to use it for nefarious purposes.
In the notification, Verizon states that there isn’t yet any evidence the data has been used maliciously. Fortunately, Verizon has taken steps to mitigate any potential fallout. In the statement, the company said, “We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter.”
Verizon has also arranged for impacted individuals to receive free identity protection and credit monitoring services for 2 years.
“Verizon says they have no evidence the information was moved externally or used maliciously. Unless they are leaving out a key detail, this is about as innocuous as an ‘insider threat breach’ gets,” commented Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.
“I will say that this is a testament to the monitoring that Verizon is doing to have even noticed and acted upon it. I think it’s probably very common…and I mean happening all the time in most companies…that people who are not authorized to access particular data still do so. I remember this happening in companies I worked for 30 years ago. This is far from rare. What is different is that Verizon and many other companies are now looking for and monitoring these types of situations, and alerting impacted potential victims, if any. That’s progress!”
On the other hand, Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, explained the risks of insider threats, and some ways organizations can prevent it:
“Insider threats, whether intentional or inadvertent, represent a substantial and often underestimated risk to organizational security and data integrity. Insider threats are harder to discover and neutralize since they originate from within the organization’s trusted perimeter, unlike external threats, which may be more obvious and straightforward to detect. Of particular concern in insider attacks is the delayed detection of the breach. Organizations must utilize advanced threat detection tools to promptly discover and address any questionable activity or unusual network behaviour. Timely detection can significantly mitigate the impact of breaches and reduce the likelihood of prolonged exposure of sensitive data. Organizations, furthermore, must prioritize investments in staff training and awareness programs to educate employees about the importance of cybersecurity best practices.”
The question remains—was this incident the actions of a malicious actor, or was it simply an employee who clicked into the wrong document, never to think about it again? We may soon find out.
Roger Grimes wonders the same: “Did they simply look for it and stumble across it, or did they do something nefarious to access it? Either way, did Verizon address how it happened so it won’t happen in the future? That’s the question I put to any company suffering a data breach — how did it happen and was something done to prevent similar actions in the future?”
Phil Odence, General Manager of Black Duck Audit Business at Synopsys concluded “Understandably, most organisations prioritise vulnerabilities in public-facing applications. However, this cautionary tale is a good reminder that not all bad actors are outside the firewall and, therefore, application security is critical for internal applications as well.”
