[BreachExchange] Hacker steals data from up to 100, 000 Bell Canada customers in second breach in eight months

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 19:22:48 EST 2018


Hackers have illegally accessed Bell Canada’s customer information for the
second time in eight months, prompting an RCMP investigation into the data
breach at Canada’s largest telecommunications company.

“BCE Inc. confirmed Tuesday that hackers got hold of ‘fewer than 100,000′
customers’ information, including names and email addresses. This follows a
hack in May 2017 when 1.9 million email addresses and about 1,700 names and
phone numbers were stolen from Bell’s database.

“There is no indication that any credit card or other banking information
was accessed,” Bell spokesman Marc Choma said in a statement.

“We apologize to our customers and are contacting all those affected.”

Bell said the RCMP is actively investigating the incident, which affected
only a fraction of its 22 million subscriptions. Bell said it works closely
with police, government and industry partners to combat cyber crime.

In an email sent Tuesday to customers affected by the breach, Bell’s
executive vice president of customer experience John Watson said additional
security authentication and identification requirements were placed on
their accounts.

He recommended customers change passwords and security questions frequently
and regularly review accounts for suspicious activity.

“The protection of customer and corporate information is of primary
importance to Bell,” Watson wrote.

Bell did not immediately answer questions about when the hack occurred or
when it discovered the breach.

Bell informed government agencies of the hack including the Office of the
Privacy Commissioner, which confirmed it was notified of the breach on

“We are following up with Bell to obtain information regarding what took
place and what they are doing to mitigate the situation, and to determine
follow up actions,” privacy commissioner spokeswoman Tobi Cohen said in an

It would not provide further details citing confidentially rules in the
Personal Information Protection and Electronic Documents Act (PIPEDA).

But the office does outline key steps to respond to privacy breaches. It
recommends that businesses immediately contain the breach and notify police
if the breach if it appears to involve theft or other criminal activity.

The next step is to evaluate the scale of the breach and the sensitivity of
the information accessed. It then recommends notifying individuals if there
is a risk of identity theft, financial loss or other harm so the person can
take steps to mitigate risk, such as changing their passwords.

The office recommends businesses conduct security audits and review their
record retention polices and employee training practices in order to
prevent future breaches.

Massive data theft has made headlines over the past few years, leaving some
consumers wary about their personal information.

The largest known breach was at Yahoo, which announced last fall that all 3
billion of its user email accounts were affected by a hack in 2013. Last
year, Equifax reported that 145 million people, including 100,000
Canadians, had personal information stolen in a cyber attack. The CEO
stepped down after the data breach.

Data theft is becoming more frequent as money moves online, making it a
modern equivalent of robbing a bank, said Robert Hudyma, associate
professor of information technology management at Ryerson University.

It’s much harder for police to catch cyber criminals because they can be
anywhere, he said.

Since anyone connected to a computer is vulnerable, companies must be
“totally vigilant” and patch their systems, he said, adding that simpler
systems have fewer opportunities for breaks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/aae54ed0/attachment.html>

More information about the BreachExchange mailing list