MuchMusic has warned Web site contest entrants that their personal information may have been stolen and used by hackers, globeandmail.com has learned.
The station sent out a mass security advisory e-mail Wednesday night to all entrants saying their contest databases may have been compromised. The breach may have happened as early as May.
- Read the memo The contests are open to people under the age of 18, and require that entrants provide a street or e-mail address, phone number and age.
MuchMusic received a complaint in May that viewers were being contacted from a person claiming to be a station employee. In all, 12 to 15 people have complained of prank calls.
The phone calls stopped for several months until just over a week ago when another viewer received a strange phone call.
"Information that they provided in the latest calls lead us to have serious suspicion that our database had been compromised," said Sarah Crawford, vice-president of public affairs for CHUM TV. "We still don't know if that's the case, but as soon as we thought it was a possibility we took a number of actions.
"We looked at the problem from the time we got the first call," Ms. Crawford said. "At the time we treated the calls for what they were: nuisance calls."
The advisory also says that contest entrants have received "prank" phone calls from people pretending to be MuchMusic employees.
"In the first case someone was calling them at a very strange time of day," Ms. Crawford said. "Either very late at night or very, very early in the morning which made the person suspicious."
Ed Arditti, a father from Windsor, Ont., is upset that MuchMusic didn't post a message on their Web site's home page about the security breach.
"With all the scares about viruses and trojans and hackers and things, and especially because they're dealing with kids, I would have thought that they would have a pretty secure system in place," said Mr. Arditti, who got four copies of the advisory e-mail to different addresses at his house. His children, who are in their 20s, had entered contests.
People under the age of 18 are eligible for the contest, providing that the prize is accepted on their behalf by their parent or legal guardian. Right now, the MuchMusic Web site is advertising 10 contests, and has published the names of recent winners on-line. Ms. Crawford said MuchMusic has a "sizeable" database.
"The issue here is that the Internet is still very much a medium in process and issues of security are always of concern, and people should be very careful about circumstances in which they offer personal information," said Al MacKay, chair of Media Awareness Network, which encourages debate on the impact of the media on children.
He said the best way for parents to to Internet-proof children is to establish clear rules and then make sure they understand the nature of what they are dealing with.
"Keeping your personal information confidential and secure is very important to us and we have taken the appropriate steps to ensure that all such data remains private," the advisory read. "However, as the Internet is not a 100 per cent secure environment, there is potential for your personal data to get into the wrong hands."
Ms. Crawford said it was determined almost immediately that the calls were not coming from an employee. The company had firewall systems to protect its databases. The station has hired forensic computer specialists to investigate.
"If you receive a call from anyone telling you they are from MuchMusic and they ask you to do anything other than to dial our headquarters hang up," the release said. "This is a prank phone call."
MuchMusic.com has added a warning to the site on its contest page. Once users click to enter a contest a section of the warning e-mail comes up on the screen, outlining the station's procedure when an employee contacts a contest winner. Much News host George Stroumboulopoulos issued the warning on-air just before 3 p.m. Thursday.
Chuck Wilmink, director of the Canadian Centre for Information Technology Security, said that there is no reason to store masses of data on-line.
As a security precaution, it would make sense for those who run Web sites to take all information from contests or application forms and store them on a CD-ROM, he said.
"The majority don't bother to do that," Mr. Wilmink said. "The majority leave themselves very vulnerable. A dedicated, smart Internet hacker who wants to get into the system will be able to get in."
As well, Mr. Wilmink said that those who run Web sites should consider which information they're asking for. "Why do they have to have the phone numbers? These are the kinds of things they should think about."
"We felt it was really important that we go public and let our viewership know that this [the breach]was a possibility," Ms. Crawford said. "We wanted to be proactive ... anyone who entered a contest with us since March got the advisory."
Mr. Arditti said the release didn't give enough information.
"It's also not clear to me from that e-mail whether someone broke into their Web site, or whether someone like an employee just downloaded a database and took it with them," he said.
MuchMusic says its primary viewership is between the age of 18 to 24, with a sceondary demographic of 12 to 17.
"It's safe to say we're on the cutting-edge of Internet protection," Ms. Crawford said. "But the benchmark changes every day. No site is 100 per cent secure."
Parents have to monitor their children's on-line time carefully, Mr. Wilmink said, because currently in Canada, there is no law that requires Web sites asking children for personal information to get their parent's permission, he said.
"Most have no idea how vulnerable their kids are," he said.
With a report from Allison Dunfield