Cyber Incident Victim: Scarborough Health Network
Date:
May 2022
Location:
Canada
Summary
A hacker obtained a database containing full names, email addresses, corporate ID numbers, and phone numbers of hundreds of employees through social engineering, convincing an employee to grant remote access to their corporate device. The attacker then scraped internal employee directory information using an internal tool. While the compromised data excluded highly sensitive details like Social Security Numbers or financial information, it poses risks for targeted phishing, impersonation attacks, or facilitating SIM-swapping schemes. The hacker attempted to extort the organization by threatening to leak the data, but the company dismissed the threat as involving "readily available" directory information and declined further engagement. The incident highlights vulnerabilities in employee security awareness and potential misuse of internal systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late September 2025, an anonymous hacker obtained a database containing personal information of hundreds of Verizon employees through a social engineering attack targeting company personnel. The attacker contacted a Verizon employee while posing as internal support staff, convincing the target to grant remote access to their corporate computer. After gaining entry, the hacker accessed an internal Verizon tool displaying employee directory information and wrote a script to systematically query and scrape records containing full names, corporate ID numbers, email addresses, and phone numbers. The hacker subsequently contacted Verizon via email threatening to leak the entire employee database unless the company provided payment, attaching a screenshot of the stolen data as proof of access. Verizon confirmed receiving the threat but downplayed the severity, stating the information constituted "readily available employee directory" data and that they had no intention of negotiating with the threat actor.
Motherboard verified portions of the dataset by contacting individuals listed, with four current employees and one former employee confirming their details were accurate. Approximately a dozen additional entries were corroborated through voicemail greetings matching the names in the database. While the breach did not expose highly sensitive information like Social Security Numbers or financial data, security experts highlighted significant risks associated with the stolen employee details. The information could facilitate targeted phishing campaigns against Verizon staff, enable impersonation attempts to gain deeper access to internal systems, or support SIM-swapping operations by criminals posing as authorized personnel. Historical precedents cited in the report showed telecom employees had previously assisted criminal groups in SIM-swapping schemes, which allow attackers to hijack phone numbers and compromise victims' financial accounts through password resets. Verizon maintained its position that existing security measures adequately protected its systems and personnel despite the confirmed extraction of employee records through compromised credentials.