Last updated at Tue, 21 Mar 2023 17:56:40 GMT

What comes to mind when you think of the word “insider”? Many of you may be reminded of Edward Snowden, the computer intelligence consultant for the NSA who leaked classified information to the press. But the word “insider” can mean different things depending on the context.

First, let's take a look at the definition as it relates to an “insider threat.” In this context, an insider is an employee, former employee, contractor, or business associate who has information concerning the organization's security practices, data, and computer systems. Some insiders voluntarily help cybercriminals while others are coerced through blackmail.

Telecom sector insiders are typically either cellular or Internet service provider employees. The former can obtain access to subscriber and company data or duplicate/reissue SIM cards, while the latter can support network mapping and man-in-the-middle attacks.

Insiders’ motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion, and carelessness. Below we’ll take a look at some instances in which telecom companies were breached with the help of an insider.

AT&T workers took $1 million in bribes to unlock 2 million phones

Several employees of AT&T were bribed to assist a hacker in unlocking over 2 million customer cell phones in a scheme that spanned the years 2012 to 2017. The hacker offered to pay over $1 million in exchange for the company employees’ help in unlocking AT&T’s proprietary locking software. He communicated with his insiders through several social media channels. Those who agreed to cooperate were given phones and IMEI codes, which were later used to install malware on AT&T's network. The insiders helped develop and install tools to unlock the phones from remote locations. AT&T reported that it had lost about $5 million a year via the phone unlocking scheme.

TalkTalk placed personal data from 21,000 customers at risk

“TalkTalk”, a UK-based company, exposed over 21,000 customers to information leakage by granting unauthorized access to third-party support staff. According to the investigation, “rogue” staff at a large IT services vendor, who resolved high-level complaints and network problems on TalkTalk’s behalf, used an online company portal to gain unauthorized access to customer data – including names, addresses, and phone numbers.

The incident occurred back in 2014 and the leak was later discovered due to multiple complaints from customers who informed the company that scam callers had been targeting subscribers under the pretense of providing technical support. As a result, the company was fined £100,000 by the Information Commissioner’s Office (ICO). Not long after, the company was fined again for £400,000 due to security failings that led to the company being hacked in October 2015.

Disgruntled former Ofcom employee leaks sensitive information

Ofcom (The Office of Communications) is the regulator and competition authority for the UK communications industries. It regulates the TV and radio sectors, fixed line telecoms, mobiles, postal services, and more. During 2016, it was revealed that a former Ofcom employee leaked sensitive data about various TV companies to his new employer, a major broadcaster. It appears that the former employee downloaded six years worth of data before leaving the company as revenge for being fired. However, instead of exploiting the data, the new employer decided to alert Ofcom regarding the stolen information.


Insider threats pose significant risks to businesses across industries, but particularly to telecommunications companies. The value of the phone and Internet communications that they provide makes them desirable targets in general, but the emphasis on SIM swapping attacks as a way to defeat SMS-based two-factor authentication for individually targeted phone numbers makes insider threats a more cost-effective access vector for would-be attackers.

Telecommunications companies should establish insider threat programs if they have not already done so. Such insider threat programs should place greater emphasis on employees whose access could enable SIM swapping attacks in particular, which are a primary reason for criminals to recruit them. Also, two-factor authentication users should switch from SMS-based methods to mobile authenticator apps, which are not vulnerable to SIM swapping attacks.


Get the latest stories, expertise, and news about security today.