Rogers Communications Inc. says that a security breach it attributes to “human error” resulted in outsiders gaining access to information associated with as many as 70 business accountsFred Lum/The Globe and Mail
Rogers Communications Inc. says that a security breach it is attributing to "human error" has resulted in outsiders gaining access to information associated with dozens of its medium-size business accounts.
The intruders appear to have used a technique known as "social engineering" – which relies on manipulating people into volunteering confidential information – to trick an IT support agent into handing over an employee's confidential details that were then used to gain access to Rogers's internal records.
Patricia Trott, a spokeswoman for the Toronto-based Internet and phone provider, said a "third party" accessed a "single e-mail address of one of our enterprise sales employees, who managed a small number of medium business accounts."
The breach occurred last week, she said in a statement Monday, and was due to "human error (not system error)."
Late Sunday afternoon, an anonymous Twitter user using the handle @TeamHans_ posted a link to a zip file containing copies of dozens of contracts for telecommunications services, as well as e-mail correspondence from the Rogers sales employee.
The contracts appear to relate to between 50 and 70 medium-sized businesses that were part of the portfolio managed by the employeewhose e-mail account was accessed. The contracts do not appear to contain payment or password information, but they do indicate the number of data or phone lines purchased as well as the amount spentby the business customers.
"The third party was able to access a small number of business agreements managed by this employee. The agreements include the business name, business address, business phone number and pricing details. They do not contain personal or financial information," Ms. Trott said in the statement. "The third party did not have access to any information on our retail customers (consumer accounts).
"As soon as we discovered the situation, we took all the necessary steps to secure our systems," she said, adding that the company is "working with the police" and has contacted the affected customers, which were in the Greater Toronto Area.
"As a precaution, we've put additional security procedures in place for our business customers. We take the privacy and security of our customers' information very seriously and we will continue to review our policies and procedures."
A report last week from Silicon Valley security firm FireEye Inc. outlined how corporations are often unprepared to counter data breaches.
As in the case of the Rogers breach, the report found that organizations are often vulnerable to mistakes by their own people. More than three-quarters of "phishing" e-mails – messages meant to fool recipients into sharing passwords and login information to access protected servers – came from hackers impersonating the company's information technology department or suppliers of anti-virus software in 2014,, almost double the level the previous year, the report said.
Stu Sjouwerman, chief executive of Florida-based security awareness training company KnowBe4 LLC, said hackers tend to target users because they are seen as a weak link: "They're the low-hanging fruit."
"But users can be trained," he added. "Users are smart, they're just not trained in IT. If you appeal to their common sense and you explain to them that the Web really is the Wild West … they see the light."
The website Databreaches.net first reported the breach on Sunday evening. The website said it conducted an interview with the individuals behind the @TeamHans_ Twitter account, who explained how they called Rogers IT support and convinced the agent to give them the sales employee's details.
According to the Databreaches story, those behind @TeamHans_ – who claim to reside outside Canada – said they demanded Rogers give them 70 bitcoins in exchange for not revealing the breach or sharing the information publicly.
The demand for the virtual currency is also revealed in one of the e-mails disclosed in the data dump, which outlines the steps Rogers was taking to address the breach of the employee's account and an apparent threat to him and his family. The intruders told Databreaches they did not make such a threat.
You have certain cybergangs that focus on this," Mr. Sjouwerman said of the type of scam seen in the Rogers breach. "You also have small, almost petty criminals, petty hackers, who do this for a living. Basically extortion on the Internet."
He noted that at the present price of about $273 (U.S.) per bitcoin, if Rogers had acceded to the demand, it would have been a "quick $19,000" for a few days' work.
The Rogers breach appears to have relied on gaining the trust of a help-desk employee – a decades-old tactic that "apparently still works," Mr. Sjouwerman said.
But he added that software-based "ransomware" scams are done on a far larger scale. In those cases, hackers typically entice users to click on a link that enables the hackers to encrypt computer files on the user's system and charge a "ransom" to restore access.