The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.
Bell Canada spokesman Nathan Gibson told The Canadian Press that “fewer than 100,000 customers were affected.”
RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said they couldn’t disclose details.
“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.
Bell Canada has alerted customers who were affected, and also informed them that additional security, authentication and identification requirements have been implemented.
“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.
Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.
“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.
Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.
Anderson said that the public should realize that centralized data is vulnerable, by its nature.
“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.
Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.
The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.
But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.
David Paddon, The Canadian Press