Hackers steal data from as many as 100,000 Bell Canada customers
Company says extra authentication has been placed on client accounts
Hackers have illegally accessed Bell Canada’s customer information for the second time in eight months, prompting an RCMP investigation into the data breach at Canada’s largest telecommunications company.
BCE Inc. confirmed Tuesday that hackers got hold of fewer than 100,000 customer names and email addresses, and a limited number of phone numbers, user names and/ or account numbers. This follows a hack in May 2017 when 1.9 million email addresses and about 1,700 names and phone numbers were stolen from Bell’s database.
“There is no indication that any credit card or other banking information was accessed,” Bell spokesman Marc Choma said in a statement.
“We apologize to our customers and are contacting all those affected.”
Bell said the RCMP is actively investigating the incident, which affected only a fraction of its 22 million subscriptions. Bell said it works closely with police, government and industry partners to combat cyber crime.
In an email sent Tuesday to customers affected by the breach, Bell’s executive vice president of customer experience John Watson said additional security authentication and identification requirements were placed on their accounts.
He recommended customers change passwords and security questions frequently and regularly review accounts for suspicious activity.
“The protection of customer and corporate information is of primary importance to Bell,” Watson wrote.
But some customers have questions about when Bell discovered the breach.
One Montreal subscriber with home phone, internet and mobility services received an email on Dec. 20 with a verification code to help confirm his identity with Bell. He found it unusual, as he hadn’t reached out to Bell. On Tuesday, he received the email stating his data had been illegally accessed.
Bell did not immediately answer questions about when the hack occurred or when it discovered the breach.
Bell informed government agencies of the hack including the Office of the Privacy Commissioner, which confirmed it was notified of the breach on Tuesday.
“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” privacy commissioner spokeswoman Tobi Cohen said in an email.
It would not provide further details citing confidentially rules in the Personal Information Protection and Electronic Documents Act (PIPEDA).
But the office does outline key steps to respond to privacy breaches. It recommends that businesses immediately contain the breach and notify police if the breach appears to involve theft or other criminal activity.
The next step is to evaluate the scale of the breach and the sensitivity of the information accessed. It then recommends notifying individuals if there is a risk of identity theft, financial loss or other harm so the person can take steps to mitigate risk, such as changing their passwords.
The office recommends businesses conduct security audits and review their record retention policies and employee training practices in order to prevent future breaches.
Massive data theft has made headlines over the past few years, leaving some consumers wary about their personal information.
The largest known breach was at Yahoo, which announced last fall that all 3 billion of its user email accounts were affected by a hack in 2013. Last year, Equifax reported that 145 million people, including 100,000 Canadians, had personal information stolen in a cyber attack. The CEO stepped down after the data breach.