The recent Bell Canada data breach might not have contained any compromised financial information, but it could still create "stepping stones" to more serious cases of fraud and espionage, according to a cybersecurity expert.
On Tuesday, the company alerted customers that the information of "fewer than 100,000" users was illegally accessed by hackers. The RCMP announced it had opened an investigation.
Bell, Canada's largest telecommunications company, said that while names and email addresses were accessed — as well as phone numbers for some users — no banking or financial information was compromised.
Breach creates 'indirect vulnerability'
"We apologize to our customers and are contacting all those affected," the company said in a statement to HuffPost Canada, adding that it notified the office of Canada's privacy watchdog of the incident.
The potential danger to the company's customers is apparent, according to Jon Lindsay, an assistant professor in digital media at the University of Toronto's Munk School of Global Affairs.
"They're going to be potential victims of more sophisticated spam and phishing messages, because the more you know about somebody the more you can tailor the lure to that particular person," Lindsay told HuffPost.
"Maybe you make something that looks like a Bell bill, and [customers] would be more likely to give their credentials or input their credit card information to it."
The compromised information creates an "indirect vulnerability," Lindsay added.
"It could just be used as a stepping stone for further fraud or even espionage," he said.
Gordie Mah, the University of Alberta's chief information security officer, said that although data like names or email addresses might be considered "low sensitivity" compared to credit card information, they're still desirable on the black market.
"They're still those who will buy or attempt to acquire large lists such as that. There's various use cases, they may now have a very targeted list that they can direct future attack attempts to," Mah told HuffPost.
"Even though it may not lead to direct credit card fraud or it may not lead to direct attempts to impersonate you ... it can still leave you vulnerable to future attack attempts because you're now on this targeted list," he said.
Bell has notified affected customers that additional security, authentication and identification requirements have been implemented in light of the incident.
It certainly is a sign of lax practices, of lax cyber security posture.
This is the second breach at the company in eight months. Last May, Bell announced that 1.9 million email addresses and around 1,700 names and phone numbers were illegally obtained by hackers. A spokesperson for the company told HuffPost the two incidents are not connected.
"Unfortunately, breaches like this are becoming more commonplace than we would want to admit," Atefeh Mashatan, an assistant professor at Ryerson University's information technology management department, told HuffPost.
"It doesn't surprise us as much as it should."
Lindsay said that while the potential consequences of these breaches can be significant, their causes are rarely sophisticated attacks that require "national security agency-level exploitation."
"It certainly is a sign of lax practices, of lax cyber security posture," he said. "Firms are now more and more hiring chief security officers, but that's only fairly recently the case."
Though Bell has not disclosed how the attack occurred, Lindsay said recycled malware that exploits known weaknesses is behind many of these kinds of breaches.
Lindsay added that Bell could have guarded itself against that vulnerability if it had its "cyber hygiene, if you will, its corporate practices up to best practice standards."
Mashatan echoed that sentiment, saying that maintaining best practices can prevent "most of these attacks."
Still, she added that while data protection is getting more sophisticated, so are the attackers.
"Institutions must be getting it right all the time ,while the attacker is successful if they get it right only once," Mashatan said. "So, as value of data increases and hence the attackers are getting more motivated, we have to proactively work on better technical protection and employee training."
"It's everything from state-sponsored [attackers] to organized crime to lone wolf criminals to hacking activists, known as hacktivists, to even [the] mischievous individual who's a little bit boredAtefeh Mashatan
Mah pointed to multiple factors that could lead to more data breaches. An abundance of new tools at hackers' disposal and the emergence of a new "actors" have created a perfect storm, he said.
"It's everything from state-sponsored [attackers] to organized crime to lone wolf criminals to hacking activists, known as hacktivists, to even [the] mischievous individual who's a little bit bored and has some technical proficiency," he said.
"And again, even if the technical proficiency isn't even there, there's never before been so many options to buy or acquire them. You don't have to be that highly skilled programmer or you don't have to develop highly skilled malware or malicious code yourself. You can buy it. You can pay for services to attempt phone scams and whatnot."
Trust in institutions up: Symantec
But while 2017 had some significant data breaches — Equifax alone reported that the personal details of 143 million Americans and 19,000 Canadians was stolen — it doesn't seem to have dinged consumer trust in companies to protect data.
A recent report by Symantec found that consumers globally have either gained or maintained trust in their institutions. The study found that 82 per cent of respondents trusted their financial institutions to protect their data, for example, while 80 per cent trusted their internet service providers.
This level of increased trust is a sign that, on the margins, cybersecurity efforts are improving, Lindsay said. But they also bring about new risks.
"It's because people are trusting their information and their money and all their transactions on the internet that it creates a really lucrative environment for criminals to exploit," he said. "I think that it's possible for both things: you can simultaneously have more trust and more crime."
Some silver linings to be found
For Mah, there are some silver linings in Bell's second breach. He commended the company for disclosing the incident to its customers and hailed its "timeliness" and transparency, despite it not being legally obligated to do so.
The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.
Having two breaches within eight months is a "nightmare," but Mah said he also sees a chance to improve cybersecurity with every incident.
"If an organization does learn from the incident and they do improve their security as a result of those lessons learned, then that can be taken as a silver lining, too."
Mah, Mashatan and Lindsay said customers can take their own precautions:
- Avoid easy passwords like, well, "password" or "admin123"
- Frequently change passwords and security questions
- Make passwords longer. Each extra character or number adds another layer of security, Lindsay says
- Avoid using the same favourite password for multiple accounts
- Maintain "good computer hygiene" by making sure anti-virus and operating software are patched and up to date
- Be "vigorous" in checking your account and report any suspicious activity
With files from The Canadian Press