The Target: Verizon, a U.S multinational telecommunications company.
The Take: Exposure of an employee database containing Personally Identifiable Information including: full names, email addresses, and phone numbers.
The Vector: The attacker posed as an internal support agent and tricked an employee into allowing them to remotely access their corporate computer. From there, the threat actor gained access to a Verizon internal tool that displayed employee information, from there they wrote a script to scrape and export the data.
This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. While Verizon’s systems were not penetrated or affected in any way, the attacker was still able to exploit an employee’s ignorance to exfiltrate sensitive company data. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.