Bell store at Rideau Centre in Ottawa Aug. 12, 2010.Blair Gable/The Globe and Mail
Bell Canada is the latest big-name company to become ensnared in a hacking incident after announcing that a cyberattack on a third-party supplier compromised the confidential account information of more than 22,000 of its small business customers.
The Montreal-based telecommunications company said Sunday that 22,421 user names and passwords and five credit card numbers belonging to small business customers were posted on the Internet over the weekend after hackers targeted the the computer systems of an Ottawa-based supplier.
That unnamed company provided the affected Bell customers with an ordering application for some small-business services. Only some customers in Ontario and Quebec who used the app fell victim to the security breach.
Bell stressed that hackers never gained access to its own network and computer systems, adding that none of its residential, mobility or enterprise business customers were affected by the attack.
As hacking incidents go, this one is relatively small in scope given that Bell provides more than 21 million customer connections across the country.
Still, the incident points to a troubling trend that has seen hackers swipe confidential information with increasing impunity.
Among the most brazen attacks in recent months includes one on Target Corp., which involved hackers stealing the credit and debit card records of tens of millions of customers during the holiday shopping season. Another U.S. retailer, Neiman Marcus, has said more than a million of its customers may have had their payment information compromised in a breach last year.
And technology giant Yahoo Inc., which provides the world's second-largest e-mail service, said last week that an unspecified number of its clients' user names and passwords were stolen by hackers. It is unknown how many Canadians had their personal information stolen in those three high-profile attacks.
As for the breach that victimized Bell's customers, a hacker group called "NullCrew" claimed responsibility on Twitter, though that could not be confirmed.
Bell spokesman Mark Langton said the hacking incident remains under investigation. He declined to say how Bell learned of the security breach. (Bell's parent company, BCE Inc., owns a 15-per-cent stake in The Globe and Mail.)
"In line with our strict privacy and security policies, Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies," Bell said in a statement. "We continue to work with the supplier as well as law enforcement and government security officials to investigate the matter."
Bell works with a number of groups on security issues, including the Canadian Cyber Incident Response Centre, which is part of Public Safety Canada. A spokesperson did not immediately respond to a request for comment.
"Bell's after-the-fact response seems perfectly reasonable, but does nothing to make people feel any more secure, even the customers who were compromised by this event," Jon Arnold, a communications consultant at Toronto-based J Arnold & Associates, said in an e-mail.
"Businesses of all sizes remain vulnerable to security breaches that will increase in both scale and severity as we continue to trust third parties with personal data. This is just the latest example to illustrate how best practices at the front end continue to lag hackers in terms of having a comprehensive security framework."
Rita Trichur