Verizon is notifying more than 63,000 people, mostly current employees, that an insider leak exposed their personal data.
The incident happened in September, which the American telco giant attributed it to "inadvertent disclosure, insider wrongdoing" in official disclosure documents filed with the Maine Attorney General. The Pine Tree state's strict data loss rules require security disclosures, even though in this case only 82 of its residents were directly affected.
A Verizon employee obtained a file that they shouldn't have had access to, containing personal information including: names, addresses, Social Security numbers or other national identifiers, gender, union affiliation (if applicable), dates of birth, and compensation information.
Of the 63,206 people to receive data breach notifications [PDF], "the vast majority of the impacted are current Verizon employees," spokesperson Rich Young told The Register. There are some former Verizon employees included who they will be notified and offered the same services as current team members."
The internal review of the data dump remains ongoing, but as of now it does not appear to be a rogue insider intent on selling coworker info on criminal marketplaces, we're told.
"There is no indication of malicious intent nor do we believe the information was shared externally," Young said.
When asked what, if anything, happened to the employee behind the inadvertent disclosure, Young added: "We're not going to discuss any employee involved as these are private, personnel matters."
In light of the incident, Verizon tells us that is boosting its technical controls to prevent future unauthorized file access. The mobile operator is also offering affected individuals two years of free credit monitoring and identity protection services and if fraud occurs, they can receive up to $1 million in reimbursement for stolen funds and expenses.
Verizon's most recent security snafu happened back in October 2022 when some of its prepaid customers' accounts were compromised by crooks attempting to hijack their phone numbers via SIM swapping methods.
"Between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account," the mobile network operator said at the time.
From there, the criminals attempted to transfer the victims' phone numbers to other devices, which would allow the fraudsters to access one-time security codes and then break into the victims' banking apps and other online accounts. ®
Source: The register