Verizon Discloses a Breach Impacting More than 63,000 Employees

by Amy Larsen DeCarlo, posted in Secure
Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• In late January 2024, Verizon began alerting more than 63,000 employees impacted by the breach of a file in September 2023 containing personal information that could encompass social security numbers, addresses, union affiliation, and compensation.

• Verizon took nearly three months to detect the incident, which the carrier blamed on “insider wrong doing.” Verizon doesn’t believe the data was shared with external entities.

Verizon joined the long list of companies facing the aftermath of a 2023 security incident. Nearly three months after an employee gained unauthorized access to a document containing sensitive data on more than 63,000 staff members, Verizon finally became aware of the breach. In January, Verizon sent letters to the employees impacted by the breach. In the letter, the carrier says the file could include name, address, social security number or other national identifier, gender, union affiliation, date of birth, and compensation data. Verizon says there is no indication the information has been misused or shared outside of Verizon. The carrier is providing affected staff with identity protection and credit monitoring services for two years.

The September incident came just weeks after Verizon reached a $4.1 million settlement with the US federal government for failing to meet the cybersecurity standards for which it was contracted. The suit alleges the Verizon service provided, delivered to several federal agencies, does not meet three cybersecurity controls as required in contracts from 2017 to 2021. In 2020, Verizon “proactively identified and disclosed” to the General Services Administration there were possible issues around meeting those standards. Verizon says there were no breaches or other security incidents related to those gaps.

Like other high-profile companies, Verizon is a popular target of malicious hackers. In January 2023, personal information of 7.5 million Verizon wireless customers was posted on the ‘Dark Web.’ The previous year, cybercriminals attempted to extort $250,000 from Verizon after gaining access to an employee database with information on hundreds of staff members. At the time, Verizon said there was no sensitive personal information contained in the breached record.

However, after recent social engineering incidents in which hackers impersonated actual employees at several other large enterprises to gain access to systems, all organizations should be taking care to educate staff on how to recognize such tactics and avoid being put in a compromising position. An effective zero trust starts and ends with employee awareness and best practices in the workplace.

Leave a Reply