Bell Canada says it’s been hacked, apologizes to customers

Bell Canada says its customer subscriber database has been hacked, with the exposure of almost 2 million email addresses, 1,700 customer names and/or telephone numbers.

“There is no indication that any financial, password or other sensitive personal information was accessed,” the company said in a news release. “This incident is not connected to the recent global WannaCry malware attacks.”

“We apologize to Bell customers for this situation and are contacting those affected directly.”

Meanwhile, the Globe and Mail reports that an anonymous note posted on an unspecified online site says the communications company has been threatened: Data from the breach is being released, says the author, and that “more will leak” if the telecom company doesn’t work with the group or individual.

Bell says it took immediate steps to secure affected systems. It has been working closely with the RCMP cyber crime unit in its investigation and has informed the Office of the Privacy Commissioner.

When approached by ITBusiness.ca, a Bell spokesperson said the company could not comment further for reasons related to both security and the ongoing police investigation. However, all affected customers should be reached by the end of the day, the spokesperson said.

While no passwords were were accessed, undoubtedly the thieves will immediately run the email addresses against known databases of stolen passwords from other sites to see if there are any commonly used words, to try and crack the Bell email passwords. They will also run them against popular — and unsafe passwords such as “Password1,” “Password2,” “Monday1” etc., as well as dictionaries. It is not unusual for people to use the same password on different sites.

Thieves will also take the stolen email addresses and add them to lists for sending spam and phishing attacks.

In February, 2014 Bell confirmed that more than 20,000 of its small-business customer usernames and passwords, as well as five credit cards, were divulged after a third party IT provider was hacked. A group that calls itself NullCrew claimed responsibility for the attack on Twitter. Screenshots released by that group to prove its claim suggested the method was an SQL (structured query language) injection attack.

Public disclosure of the breach comes as the Liberal government is discussing breach notification regulations for organizations to comply with the 2015 Digital Privacy Act, which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), which requires organizations under federal jurisdiction to tell individuals when their personal information has been disclosed in a way that could cause significant harm. Disclosure to the federal privacy commissioner also has to be made.

The regulations will spell out how much disclosure has to be made and how fast after a breach has been discovered. Strictly speaking Bell didn’t have to disclose the breach to victims or the privacy commissioner because the regulations haven’t been proclaimed yet, but it has been accepted as a best practice since the Digital Privacy Act was passed.

Draft regulations may be announced as early as the summer with the intent to make them come into effect at the start of 2018.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs