Are you looking for a stock?
Try one of these
Rogers Communications Inc. says that a security breach it attributes to “human error” has resulted in outsiders gaining access to information associated with dozens of its medium-size business accounts.
The intruders appear to have used a technique known as “social engineering” – which relies on manipulating people into volunteering confidential information – to trick an IT support agent into handing over an employee’s confidential details that were then used to gain access to Rogers’ internal records.
Patricia Trott, a spokeswoman for the Toronto-based Internet and phone provider, said a “third party” accessed a “single e-mail address of one of our enterprise sales employees, who managed a small number of medium business accounts.”
The breach occurred last week, she said in a statement Monday, and was due to “human error (not system error).”
Late Sunday afternoon an anonymous Twitter user using the handle @TeamHans_ posted a link to a .zip file containing copies of dozens of contracts for telecommunications services as well as e-mail correspondence from the Rogers sales employee.
The contracts appear to relate to between 50 and 70 medium-sized businesses that were part of the portfolio managed by the employee whose e-mail account was accessed.
The contracts do not appear to contain payment or password information but they do indicate details such as the number of data or phone lines purchased as well as the amount spent by the business customers.
“The third party was able to access a small number of business agreements managed by this employee. The agreements include the business name, business address, business phone number and pricing details. They do not contain personal or financial information,” Ms. Trott said in the statement. “The third party did not have access to any information on our retail customers (consumer accounts).”
“As soon as we discovered the situation we took all the necessary steps to secure our systems,” she said, adding that the company is “working with the police” and has contacted the affected customers.
“As a precaution, we’ve put additional security procedures in place for our business customers. We take the privacy and security of our customers’ information very seriously and we will continue to review our policies and procedures.”
The website Databreaches.net first reported the breach on Sunday evening. The website said it conducted an interview with the individuals behind the @TeamHans_ Twitter account who explained how they called Rogers IT support and convinced the agent to give them the sales employee’s details.
According to the Databreaches story, those behind @TeamHans_ – who claim not to be from Canada – said they demanded Rogers give them 70 bitcoins in exchange for not revealing the breach or sharing the information publicly.
The demand for the virtual currency is also revealed in one of the e-mails disclosed in the data dump, which outlines steps Rogers was taking to address the breach of the employee’s account and an apparent threat to himself and his family. The intruders told Databreaches they did not make such a threat.
A report last week from Silicon Valley security firm FireEye Inc. outlined how corporations are often unprepared to counter data breaches.
Relevant to the Rogers breach, the report found organizations are often vulnerable to mistakes by their own people. More than three-quarters of “phishing” e-mails – messages meant to fool recipients into sharing passwords and login information to access protected servers – came from hackers impersonating the company’s information technology department or suppliers of anti-virus software in 2014, almost double the level the previous year, the report said.