Verizon Communications is warning that an insider data breach impacts almost half its workforce, exposing sensitive employee information.
Verizon is an American telecommunications and mass media company providing cable TV, telecommunications, and internet services to over 150 million subscribers across the U.S. The company has more than 117,000 workers and has an annual revenue of 136.8 billion (2022).
A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.
Verizon discovered the breach on December 12, 2023, nearly three months later, and determined it contained sensitive information of 63,206 employees.
The data that was exposed varies per employee but could include:
- Full name
- Physical address
- Social Security number (SSN)
- National ID
- Union affiliation
- Date of birth
- Compensation information
However, this incident does not appear to impact customer information.
Verizon says it is actively working towards strengthening its internal security to prevent similar incidents from occurring again in the future and noted that at this time, there are no signs of malicious exploitation or evidence of the data having been widely leaked.
“At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue,” reads the Verizon data breach notification.
“We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter.”
To protect exposed individuals from the risks posed by the security incident, Verizon has enclosed instructions on enrolling in a two-year identity theft protection and credit monitoring service in the notices sent to impacted employees.
BleepingComputer contacted Verizon to learn if the incident has been referred to law enforcement and we received the following reply:
Verizon recently discovered that an employee inappropriately handled a file containing certain personal information about some Verizon employees.
At this point, we have no reason to believe the information was improperly used or that it was shared outside of Verizon.
We are notifying the affected employees and applicable regulators about the matter. Our internal review of this matter continues.
We have not referred this incident to law enforcement. There is no indication of malicious intent nor do we believe the information was shared externally. – Rich Young, Verizon spokesman
Verizon has had a relatively calm period regarding cybersecurity incidents in the past few years.
The firm’s last major incident was announced in October 2022, when hackers attempted to perform SIM swaps to hijack customer accounts.
Although Verizon says it blocked the activity and reversed unauthorized changes, sensitive customer information such as partial credit card data, names, telephone numbers, billing addresses, and other service-related info was exposed.
Update 2/6 – Added Verizon statement