Former Verizon Wireless employee charged with identity theft
Technorati Tag: Security Breach
Date Reported:
4/22/08
Organization:
Verizon Wireless
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, Social Security number, and/or Verizon Wireless account number
Breach Description:
A former employee of Verizon Wireless who worked in a telesales position has been charged with identity theft by the Somerset County, New Jersey Prosecutor's Office. According to Verizon Wireless, it appears that he may have taken sensitive personal information belonging to Verizon Wireless customers during his employment from November, 2003 to January, 2005.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
a former Verizon Wireless telesales employee apparently obtained sensitive personal information about them from our records from late 2003 through early 2005.
Verizon Wireless is providing this notice to let you know that a former Verizon Wireless employee appears to have obtained, in violation of our policies, sensitive customer personal information, which may include your name, address, social security number, and/or Verizon Wireless account number.
[Evan] As I have said before in other similar breaches, employee fraud is often a difficult problem for information security professionals to tackle. This holds especially true when dealing with positions in the company that have statistically high turnover rates, like telesales, customer service, etc. These employees need a certain level of access to perform their job functions, but the access that they are granted needs to be as granular as possible. There are many controls that we try to apply like background checks (initial and periodic), role-based access control, monitoring, etc., but sometimes even the best controls can be circumvented. Remember that we are not in the risk elimination business, we are in the risk reduction business.
This former employee was arrested on March 27, 2008
The former employee has been charged with identity theft by the Somerset County, New Jersey Prosecutor's office, and we understand that he is likely to be indicted shortly.
We do not know the exact circumstances of this theft since we have not spoken to this individual.
However, based on copies of documents provided to us by the Prosecutor's office, it appears that he may have printed computers screens containing customer's names, addresses and social security numbers.
It appears that he may have taken this sensitive information about you while he worked for us in a telesales position for a little over a year, from November 2003 to January 2005.
Approximately two years ago, long before we learned of this incident, we modified our systems so that they no longer allow telesales employees to access a customer's full social security number after that number has been used for an initial credit check.
[Evan] This was/is a good preventative control and a wise decision. I assume that Verizon has an extensive risk management and information security presence within the company. Verizon Wireless employs roughly 69,000 people and an estimated 65.7 million customers, so you can imagine the amount of sensitive personal information that they must control.
Although we do not have evidence that our former employee succeeded in stealing your identity, it is possible that this occurred given the nature of his offense.
We sincerely apologize for any inconvenience this may cause you
Commentary:
Verizon Wireless is providing affected persons with one year of credit monitoring.
Past Breaches:
None
Date Reported:4/22/08
Organization:
Verizon Wireless
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, Social Security number, and/or Verizon Wireless account number
Breach Description:
A former employee of Verizon Wireless who worked in a telesales position has been charged with identity theft by the Somerset County, New Jersey Prosecutor's Office. According to Verizon Wireless, it appears that he may have taken sensitive personal information belonging to Verizon Wireless customers during his employment from November, 2003 to January, 2005.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
a former Verizon Wireless telesales employee apparently obtained sensitive personal information about them from our records from late 2003 through early 2005.
Verizon Wireless is providing this notice to let you know that a former Verizon Wireless employee appears to have obtained, in violation of our policies, sensitive customer personal information, which may include your name, address, social security number, and/or Verizon Wireless account number.
[Evan] As I have said before in other similar breaches, employee fraud is often a difficult problem for information security professionals to tackle. This holds especially true when dealing with positions in the company that have statistically high turnover rates, like telesales, customer service, etc. These employees need a certain level of access to perform their job functions, but the access that they are granted needs to be as granular as possible. There are many controls that we try to apply like background checks (initial and periodic), role-based access control, monitoring, etc., but sometimes even the best controls can be circumvented. Remember that we are not in the risk elimination business, we are in the risk reduction business.
This former employee was arrested on March 27, 2008
The former employee has been charged with identity theft by the Somerset County, New Jersey Prosecutor's office, and we understand that he is likely to be indicted shortly.
We do not know the exact circumstances of this theft since we have not spoken to this individual.
However, based on copies of documents provided to us by the Prosecutor's office, it appears that he may have printed computers screens containing customer's names, addresses and social security numbers.
It appears that he may have taken this sensitive information about you while he worked for us in a telesales position for a little over a year, from November 2003 to January 2005.
Approximately two years ago, long before we learned of this incident, we modified our systems so that they no longer allow telesales employees to access a customer's full social security number after that number has been used for an initial credit check.
[Evan] This was/is a good preventative control and a wise decision. I assume that Verizon has an extensive risk management and information security presence within the company. Verizon Wireless employs roughly 69,000 people and an estimated 65.7 million customers, so you can imagine the amount of sensitive personal information that they must control.
Although we do not have evidence that our former employee succeeded in stealing your identity, it is possible that this occurred given the nature of his offense.
We sincerely apologize for any inconvenience this may cause you
Commentary:
Verizon Wireless is providing affected persons with one year of credit monitoring.
Past Breaches:
None
Posts Atom 1.0
Comments