BCE Inc.'s Bell Canada has issued an apology to customers after it said nearly 1.9 million customer e-mail addresses and 1,700 names and phone numbers were illegally accessed – while an anonymous note posted online threatens that "more will leak" if the telecom company doesn't co-operate with the group or individual claiming responsibility for the breach.
"We are releasing a significant portion of Bell.ca's data due to the fact that they have failed to [co-operate] with us," says the post, which was published Monday afternoon, several hours before Bell released its apology.
"This shows how Bell doesn't care for its [customers'] safety and they could have avoided this public announcement… Bell, if you don't [co-operate] more will leak :)." The post contains a link purporting to contain the customer information. It does not clarify what the anonymous poster was seeking co-operation for, or any further intent.
The telecom company has been aware of its data breach since at least last Wednesday but did not disclose details publicly until several hours after the anonymous post on Monday.
Bell says that the attacks were not related to the "WannaCry" ransomware attack that spread across the globe late last week. The global cyberattack hit hundreds of thousands of people worldwide, encrypting their data for a ransom of about $300 (U.S.) in the digital currency bitcoin. While the Bell breach was not connected to the broader attack, digital security breaches have become increasingly rampant in Canada and around the world, prompting many companies and security experts to encourage consumers to regularly change passwords and be vigilant in online activities.
"There is no indication that any financial, password or other sensitive personal information was accessed," the company said in a statement. "Bell took immediate steps to secure affected systems. The company has been working closely with the RCMP cybercrime unit in its investigation and has informed the Office of the Privacy Commissioner."
Bell notified the commissioner's office of the breach on May 10, and had planned to make customers aware of the situation once it had more details. "We are following up with the company with respect to what took place and what it is doing to mitigate the situation," a spokesperson for the commissioner's office told The Globe. "We expect a formal written breach report from Bell very soon."
The spokesperson said by e-mail that they could not provide further details or an interview because of confidentiality provisions in the Personal Information Protection and Electronic Documents Act, Canada's federal private-sector privacy law.
Bell has been contacting affected customers directly to apologize for the situation, noting that it has worked with government and law enforcement to investigate. The company said in e-mails to customers that "there is minimal risk involved" in this data breach but encouraged them to regularly change passwords and security questions and to avoid suspicious e-mails and communications. "Please note that Bell will never ask for your credit card or other personal information by e-mail," it said.
The company declined to comment on the specifics of the attack, citing security reasons and the ongoing police investigation.