A database of contact information for hundreds of Verizon employees is in the hands of cybercriminals, after a member of staff was duped into granting a hacker access to their work PC.
The revelation of a data breach comes from security journalist Lorenzo Franceschi-Bicchierai of Vice, who describes how an anonymous hacker contacted him earlier this month to brag about what they had achieved:
"These employees are idiots and will allow you to connect to their PC under the guise that you are from internal support," the hacker told Franceschi-Bicchierai in an online chat.
The compromised data included the full name, email address, corporate ID number, and phone number of hundreds of Verizon staff members. Although Franceschi-Bicchierai was unable to confirm that all of the information was up-to-date, he was able to verify the legitimacy of some of the data by calling phone numbers that had been exposed, and asking individuals who answered to confirm their names and email address.
According to the hacker, having tricked a Verizon employee into granting them access to their corporate computer, they were then able to access an internal company tool to retrieve employee information, and scraped the database with a script.
In an extortion email to Verizon, the hacker claims to have requested a $250,000 reward for their efforts, threatening to leak the employee database online:
Please feel free to respond with an offer not to leak you’re [sic] entire employee database
Verizon confirmed to Vice that it had been contacted by the hacker, but downplayed the significance of the breach:
“A fraudster recently contacted us threatening to release readily available employee directory information in exchange for payment from Verizon. We do not believe the fraudster has any sensitive information and we do not plan to engage with the individual further. As always, we take the security of Verizon data very seriously and we have strong measures in place to protect our people and systems.”
It's accurate that the breach would have been worse if it had included more sensitive information. For instance, banking details, social security numbers, passwords, and the like would have potentially made the breach more serious.
But I don't think Verizon is right to say that the information should not be considered sensitive. In the hands of a fraudster the details could be used to assist in the impersonation of a Verizon employee without too much difficulty, for instance, which could lead to the duping of yet more members of staff into releasing perhaps yet-more sensitive data.
Furthermore, as Franceschi-Bicchierai points out, in recent years hackers have managed to launch SIM swap attacks that hijack cell phone numbers, and can lead to the interception of calls and SMS messages, and then the compromise of online accounts.
Verizon and other companies would do well to train their staff about the risk of being duped by someone posing as a member of the IT team, and always double-check before granting permission for someone else to access their computer remotely.