Summary:
Verizon Communications issued an advisory this week that an insider data breach has impacted almost half it’s workforce, exposing sensitive employee personal identifiable information (PII). A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.

Verizon says they discovered the data breach on December 12, 2023, nearly three months after the incident. Roughly 63,000 employees were impacted.

The data that was exposed varies per employee but could include:

• Full name
• Physical address
• Social Security number (SSN)
• National ID
• Gender
• Union affiliation
• Date of birth
• Compensation information

Security Officer Comments:
Verizon does not reveal if customer information was impacted in the data breach. The company says they are working to “strengthen their internal security to prevent similar incidents from happening again.” There are currently no signs of malicious exploitation or evidence of data having been widely leaked.

Impacted employees are able to enroll in a two-year identity theft protection and credit monitoring service.

While full details have not been shared, from Verizon’s statement it appears the insider data breach was not the result of malicious intent, but rather the result of an employee inappropriately handling a file containing PII of Verizon employees. The company says they have no reason to believe the information was improperly used or that it was shared outside of Verizon.

“We have not referred this incident to law enforcement. There is no indication of malicious intent nor do we believe the information was shared externally” - Rich Young, Verizon spokesman.

Suggested Corrections:
Non-malicious incidents are still considered insider threats. Negligence, lack of training, and accidental actions by employees can cause severe impacts to organizations.

People are the first line of defense against Insider Threats. While there will be essential security awareness and training information that applies to all insiders (employees, partners, and contractors), you should strive to tailor it to the tasks of their specific roles and accesses. The goal should be to take your users beyond mere awareness of security policies and issues and truly educate them. They should be instructed on why and how to assess various situations' risk and security implications. You should verify that they know how to apply security best practices as they perform their daily job duties.

Insiders should have access to only those information assets for which they 1) have a need-to-know based on the role and duty and 2) that fall within the parameters of their risk profile.

The employee monitoring market consists of technologies that collect data about the location, movement, communications, and actions of employees. Because of their narrow focus, these tools are often integrated with other tech stack tools to support broader purposes. The most prevalent use cases for EM products are optimizing employee, team, and process productivity and efficiency by tracking physical and electronic activities and reducing bandwidth costs emanating from the inappropriate use of devices and networks.

Organizations should strive to examine behaviors, actions, and insider threat indicators to mitigate threats following established policies, existing business objectives, risk tolerance, and legal parameters. Typical data loss, fraud, and intellectual property are the framework for investigative best practices; however, they can often miss critical data sources. Integrating evidence from HR, Legal, Cyber, and Security is essential consideration with investigative methods.

Link(s):
https://www.bleepingcomputer.com/ne...h-hits-over-63-000-employees/#google_vignette