Bell Canada site hacked for second time
‘Fewer than 100,000’ clients affected
TORONTO • Hackers have illegally accessed Bell Canada’s customer information for the second time in eight months, prompting an RCMP investigation into the data breach at Canada’s largest telecommunications company.
“BCE Inc. confirmed Tuesday that hackers got hold of ‘fewer than 100,000’ customers’ information, including names and email addresses. This follows a hack in May 2017 when 1.9 million email addresses and about 1,700 names and phone numbers were stolen from Bell’s database.
“There is no indication that any credit card or other banking information was accessed,” Bell spokesman Marc Choma said in a statement.
“We apologize to our customers and are contacting all those affected.”
Bell said the RCMP is investigating the i ncident, which affected only a fraction of its 22 million subscriptions. Bell said it works closely with police, government and industry partners to combat cyber crime.
In an email sent Tuesday to customers affected by the breach, Bell’s executive vicepresident of customer experience John Watson said additional security authentication and identification requirements were placed on their accounts.
He recommended customers change passwords and security questions frequently and regularly review accounts for suspicious activity.
“The protection of customer and corporate information is of primary importance to Bell,” Watson wrote.
Bell did not immediately answer questions about when the hack occurred or when it discovered the breach.
Bell informed government agencies of the hack including the Office of the Privacy Commissioner, which confirmed it was notified of the breach on Tuesday.
“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” privacy commissioner spokeswoman Tobi Cohen said in an email.
It would not provide further details citing confidentially rules in the Personal Information Protection and Electronic Documents Act (PIPEDA).
But the office does outline key steps to respond to privacy breaches. It recommends that businesses immediately contain the breach and notify police if the breach if it appears to involve theft or other criminal activity.
The next step is to evaluate the scale of the breach and the sensitivity of the information accessed. It then recommends notifying individuals if there is a risk of identity theft, financial loss or other harm so the person can take steps to mitigate risk, such as changing their passwords.
The office recommends businesses conduct security audits and review their record retention polices and employee training practices in order to prevent future breaches.
Massive data theft has made headlines over the past few years, leaving some consumers wary about their personal information.
The largest known breach was at Yahoo, which announced last fall that all 3 billion of its user email accounts were affected by a hack in 2013. Last year, Equifax reported that 145 million people, including 100,000 Canadians, had personal information stolen in a cyber attack. The CEO stepped down after the data breach.
Data theft is becoming more frequent as money moves online, making it a modern equivalent of robbing a bank, said Robert Hudyma, associate professor of information technology management at Ryerson University.
It’s much harder for police to catch cyber criminals because they can be anywhere, he said.
Since anyone connected to a computer is vulnerable, companies must be “totally vigilant” and patch their systems, he said, adding that simpler systems have fewer opportunities for breaks.