Bell Canada on Monday announced that an unknown attacker had gained access to customer information.
The breach was not related to the recent WannaCry ransomware attack, the company said. That malware attack infected 300,000 machines in 150 countries and continues to spread, albeit at a much slower rate.
The data purloined from Bell Canada includes approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers. The company said there was no indication that any "financial, password or other sensitive personal information was accessed."
Canada's largest telecommunications and media company, headquartered in Montreal, Quebec, issued an apology and said it was in the process of notifying customers and had taken steps to mitigate the situation. As well, it has partnered with the RCMP cyber crime unit and notified the Office of the Privacy Commissioner.
The incident may be an extortion attempt by an individual or group who posted some of the stolen data online and threatened to leak more if the telecom giant fails to cooperate.
“We are releasing a significant portion of Bell.ca's data due to the fact that they have failed to [co-operate] with us,” the post said. “This shows how Bell doesn't care for its [customers'] safety and they could have avoided this public announcement… Bell, if you don't [co-operate] more will leak :).”
While the post includes a link supposedly exposing the data stolen from Bell Canada, there is no explanation for who is behind the demand or what sort of cooperation they were seeking.
This attack highlights a trend where hackers cast a wide net and use easily attainable account and identity information as a starting point for high value targets, Jason Hart, VP and CTO for data protection at Gemalto, told SC Media on Tuesday. "While no passwords were accessed, the hackers will likely run the email addresses against known databases of stolen passwords from other sites to see if there are any commonly used words, to try and crack the Bell email passwords."
CSOs and security teams need to adopt a situational awareness to user access and data they store and move, Hart said. "This is something hackers already are doing. As an industry, we need to take a hint from them and know our surroundings, meaning understanding exactly where data resides, who has access to it, how it is transferred, when it is encrypted/decrypted – really the entire supply change of digital users and the data."
This data-centric view of threats means using better identity and access control techniques, multifactor authentication and encryption and key management to secure sensitive data, Hart said. "These are no longer 'best practices' but necessities. This is especially true with new and updated government mandates like the 2015 Digital Privacy Act in Canada, the General Data Protection Regulation (GDPR) in Europe, U.S state-based and APAC country-based breach disclosure laws."
Meanwhile, in an email to its customers, Bell Canada said there "is minimal risk involved” in this intrusion. However, the company advised customers to regularly change passwords as well as the security questions used to access their accounts. The company also warned customers to be suspicious of unsolicited emails. “Please note that Bell will never ask for your credit card or other personal information by email,” the firm wrote.