Bell Canada Enterprises says it has recovered the stolen data relating to 3.4 million Ontario and Quebec customers with help from the Montreal police.
A 30-year-old Montreal man was arrested on Tuesday in connection with the incident.
Bell says it was tipped off by an informant mid-January that its security had been breached.
“Our security and our forensic technology teams are combing through the data and determining precisely what’s part of [the breach],” Mark Langton, Bell spokesperson told ITBusiness.ca.
The unidentified suspect is not a former Bell employee, he adds.
(Security experts note that while threats from outside the enterprise have increased in the last couple of years – insiders still pose a more serious risk than outsiders).
Bell says its ongoing investigation prevents it from revealing how the suspect got his hands on the electronic information.
“It was on a hard drive and on a memory stick and on a CD,” Langton explains. “It was all electronic, there was no other format.”
The data consisted of names, addresses, phone numbers, a list of services received and long-distance calling details.
About five per cent of the numbers were unlisted, and affected customers will be contacted by Bell, Langton says.
He says no financial information – such as PIN numbers or credit card numbers – was included in the stolen data.
The suspect was charged with “unauthorized use of a computer”, and released, and will require to come to court on April 10 to face the charges, according to Oliver Lapointe, a spokesperson for the Montreal Police.
“The investigation is not over and we’re looking for other potential suspects,” Lapointe adds.
Bell corporate security was tipped off when the suspect allegedly tried to sell customer data to the informant.
The team applied for the right of search and seizure of the data, and police got an arrest warrant at the same time.
The information was of interest for marketing purposes, not fraud, Lapointe says.
Canadian companies can do more to guard confidential customer information, says David Senf, director of Canadian security and software research at Toronto-based IDC Canada.
“Organizations in Canada have a rough idea of what security threats can harm them,” he says. “But when it comes down to specifics, of which threat is the one they need to focus on, that’s where we see trouble.”
Bell, however, has defended its data security procedures in a press release.
“Protecting the privacy of customer information is of prime importance to Bell,” the release said. “The company has strict policies and procedures and sophisticated security systems in place to protect that information.”
Bell spokesperson Langton couldn’t think of a similar incident ever occurring at Bell, and believes this is a first-time event.
But he says the breach could mean a review is needed.
“It’s frustrating, but we’ll be looking at our entire security system,” he says.
Hackers will continue to prey on companies as well as individuals who don’t protect their information, Senf says, whether it’s en masse theft, or piece-by-piece collection from social networking sites.
“It’s no longer hackers having fun,” he says. “It’s someone who wants to make a dollar going after the information.”