Bell Canada says its customer subscriber database has been hacked, with the exposure of almost 2 million email addresses, 1,700 customer names and/or telephone numbers.
“There is no indication that any financial, password or other sensitive personal information was accessed,” the company said in a news release. “This incident is not connected to the recent global WannaCry malware attacks.”
“We apologize to Bell customers for this situation and are contacting those affected directly.”
Meanwhile, the Globe and Mail reports that an anonymous note posted on an unspecified online site says the communications company has been threatened: Data from the breach is being released, says the author, and that “more will leak” if the telecom company doesn’t work with the group or individual.
Bell says it took immediate steps to secure affected systems. It has been working closely with the RCMP cyber crime unit in its investigation and has informed the Office of the Privacy Commissioner.
When approached by ITBusiness.ca, a Bell spokesperson said the company could not comment further for reasons related to both security and the ongoing police investigation. However, all affected customers should be reached by the end of the day, the spokesperson said.
While no passwords were were accessed, undoubtedly the thieves will immediately run the email addresses against known databases of stolen passwords from other sites to see if there are any commonly used words, to try and crack the Bell email passwords. They will also run them against popular — and unsafe passwords such as “Password1,” “Password2,” “Monday1” etc., as well as dictionaries. It is not unusual for people to use the same password on different sites.
Thieves will also take the stolen email addresses and add them to lists for sending spam and phishing attacks.
In February, 2014 Bell confirmed that more than 20,000 of its small-business customer usernames and passwords, as well as five credit cards, were divulged after a third party IT provider was hacked. A group that calls itself NullCrew claimed responsibility for the attack on Twitter. Screenshots released by that group to prove its claim suggested the method was an SQL (structured query language) injection attack.
Public disclosure of the breach comes as the Liberal government is discussing breach notification regulations for organizations to comply with the 2015 Digital Privacy Act, which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), which requires organizations under federal jurisdiction to tell individuals when their personal information has been disclosed in a way that could cause significant harm. Disclosure to the federal privacy commissioner also has to be made.
The regulations will spell out how much disclosure has to be made and how fast after a breach has been discovered. Strictly speaking Bell didn’t have to disclose the breach to victims or the privacy commissioner because the regulations haven’t been proclaimed yet, but it has been accepted as a best practice since the Digital Privacy Act was passed.
Draft regulations may be announced as early as the summer with the intent to make them come into effect at the start of 2018.