Bell Canada has acknowledged hackers have accessed personal information of what it has told CBC News are less than 100,000 customers.
The telco says information accessed included names, email addresses, account user names and numbers, as in some cases phone numbers. Neither credit card nor banking information was accessed.
“We apologize for this situation,” John Watson, Bell’s executive vice-president of customer experience, said a letter to affected customers. “Please note that additional security identification and authentication requirements have been implemented on your account. When discussing your account with our service representatives you will be asked for this additional information to verify your identity.”
Despite being the country’s biggest telco with a large infosec staff Bell is not immune to data breaches. Last May it admitted its customer subscriber database has been hacked, with the exposure of almost 2 million email addresses, 1,700 customer names and/or telephone numbers.
In February 2014, Bell confirmed more than 20,000 of its small-business customer usernames and passwords, as well as five credit cards, were divulged after a third party IT provider was hacked. A group calling itself NullCrew claimed responsibility for the attack on Twitter.
This latest breach comes as the federal government is finalizing the data breach notification requirements federally regulated organizations will have to follow after an incident. Industry experts hope the regulations will be approved before the summer. Draft regulations were released last September. The final regulations could be released as part of a package with the government’s update to its national cyber security strategy for working with the private sector to improve resilience.
In a report last year the Canadian Chamber of Commerce — citing a report from Intel — estimated Canada loses 0.17 per cent of its gross domestic product (GDP) to cybercrime, which is equal to $3.12 billion a year.
The annual IBM-Ponemon Institute cost of a data breach to a Canadian organization study issued last year figured that in 2017 the average total cost to the 27 victim companies was $5.78 million, a decrease of $6.03 million over the previous year. The study looked at the costs incurred 12 industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws. Note that the study excluded companies who had more than 100,000 records breached.
Of those 27 Canadian firm studied breaches the costs ranged from $3.81 million for data breaches involving 10,000 or fewer records to $7.25 million for the loss or theft of 25,001 to 50,000 records.
Of those 27 Canadian firms studied 48 per cent of incidents involved a malicious or criminal attack, 30 per cent involved negligent employees and 22 per cent involved system glitches, which includes both IT and business process failures.
Bell hasn’t said yet what the cause of the latest breach was.
By coincidence today, Symantec released its annual Norton Cyber Security Insights Report, which includes a break-down of answers from 1,120 Canadian consumers surveyed in October 2017. These included:
- Canadians gained or maintained trust in organizations such as banks and financial institutions (86 per cent), and identity theft protection service providers (79 per cent) despite the attacks that made headlines in 2017.
- On the other hand, 38 per cent of Canadian respondents said they lost trust in their government to manage their data and personal information within the past year. Thirty-five per cent lost trust in social media platforms.
- Twenty-nine per cent of Canadian cybercrime victims said they trust in themselves to manage their data and personal information.
- 52 per cent of cybercrime victims in Canada said they shared their passwords for at least one device or account with others. By comparison, only 31 per cent of non-cybercrime victims said they share their passwords with others. Cybercrime victims in Canada were also more likely to share their passwords for potentially sensitive online accounts such as banking (17 per cent cybercrime victims vs. 12 per cent non-cybercrime victims), social media (20 per cent cybercrime victims vs. 12 per cent non-cybercrime victims) and email accounts (22 per cent cybercrime victims vs. 14 per cent non-cybercrime victims).