A major player in the US telecommunications industry, with over 117,000 employees, recently experienced an insider data breach that has impacted nearly half of its workforce. The breach, discovered on December 12, 2023, occurred on September 21, 2023, when an unauthorized employee accessed a file containing sensitive information of over 63,000 employees.
The exposed data includes full names, physical addresses, Social Security numbers, national IDs, gender, union affiliations, date of birth, and compensation information. Fortunately, customer information remains unaffected.
The US telecommunications giant, in response to the breach, has emphasized its commitment to enhancing internal security measures. While there is currently no evidence of malicious exploitation or widespread data leaks, the company is taking proactive steps to prevent future incidents.
HR Platforms Store Highly Sensitive Data
Sensitive employee data resides in Human Resources Information Systems (HRIS) and Applicant Tracking Systems (ATS), with Workday being a notable example. Sensitive records stored within these systems include:
- Personal Details (First Name, Last Name, ID, Home Address, Phone, Email, Date of Birth, Marital Status, etc.)
- Payroll and Commissions
- Option Grants and Shares
- Bank Account Details
- Health Insurance Plans
- Interview and Reference Summaries
- Background Checks
- Employment Termination Details
- Personal Information of Spouse and Children
As HR departments adopt more SaaS-based HRIS and ATS systems, they must take measures to prevent the cybersecurity risks associated with storing sensitive data on a cloud-based service. This is why HRIS and ATS systems based on SaaS became a prime target for threat actors. The Telecom incident underscores the urgency for organizations to fortify the security of these platforms.
In addition to the points addressed in the original breach article, it is important to understand the complexity of permission structures within their HR platforms and how they impact access control.
Understanding Complex Permission Structures
Organizations must invest time and resources to fully understand the permissions granted within their HR platforms. This includes not only knowing which employees have access to sensitive data but also understanding the specific actions they can perform with that data, for example read, modify, delete, etc. A lack of clarity in permission structures can lead to inadvertent exposure of sensitive information and increase the risk of insider threats. HR systems can have a very complex system composed of Security groups, Domains (within a Functional Area for example), Organizations, Roles, criterias, and more which interact with each other and add complexity that can create a security issue. Moreover, the importance of visibility into who has permission to what and through which controls cannot be overstated.
Continuous Monitoring for Unusual Behavior
Continuous monitoring against insider threats is essential. Organizations should implement systems that provide real-time insights into user activities within HRIS. This includes monitoring for unusual behavior patterns such as excessive downloads, granting access to an external user (maybe their private email) and any deviations from normal usage patterns.
Continuous monitoring is not a one-time effort but an ongoing process. Regularly reviewing access logs, conducting periodic audits, and leveraging advanced analytics to detect anomalies are vital components of a comprehensive security strategy. This proactive approach allows organizations to identify and address potential security issues before they escalate into major breaches. An example of such a serious security issue is a threat actor changing the bank account details of an employee so that their payroll is redirected to the hacker’s account. This example emphasizes the importance of safeguarding HRIS systems.
Conclusion
The recent data breach at the US telecommunications giant highlights the vulnerability of even major corporations to insider threats. By learning from such incidents, organizations can take proactive steps to secure their HR platforms, implement continuous discovery mechanisms, fortify their overall cybersecurity posture, and ensure a comprehensive understanding of complex permission structures. Constant adaptation and improvement are essential in the ever-changing landscape of cybersecurity.