On Their Radar: Bell Canada Breach Hits Small-Business Owners

Bell Canada blamed a data breach at a third-party supplier for the exposure of more than 22,000 usernames and passwords belonging to its small-business customers, according to a statement issued by the telecommunications giant over the weekend.

The company said 22,421 usernames and passwords and five valid credit-card numbers associated with Bell small-business customers were exposed in the breach, with the data posted on a hacking forum. A successful attack was carried out on the supplier's information technology system, according to Bell Canada, which did not say when the attack took place or how long the data was exposed.

Bell Canada has disabled all affected accounts and is contacting small-business customers who were impacted by the breach. The company said it is working with the supplier and law enforcement in investigating the extent of the security incident.

[Related: The 10 Worst Passwords Of 2013]

"Bell's own network and IT systems were not impacted," the company said in a statement. "The issue does not affect Bell residential, mobility or enterprise business customers."

Solution providers told CRN that the recent string of high-profile breaches, from Target's massive credit card leak to attacks against Yahoo's email servers, highlight the significant risks facing small and midsize businesses. Target said stolen vendor account credentials were used to access its internal systems. Yahoo blamed a third-party database leak for attacks against its user email accounts.

Small-business owners often believe breaches only happen to bigger firms, said John Garner, president of iMedia Technology, in a recent interview with CRN. Small-business owners need to realize that cybercriminals are going up and down the supply chain, Garner said. Once an attacker steals data from a small or midsize business, the information is often bought and sold on hacking forums and used in larger-scale attacks.

"Many businesses naively think they will fall under the radar," Garner said. "We try to get more involved in the conversation to help them understand their security requirements, even if they take a minimal approach."

Yahoo reset passwords on impacted accounts and used a second sign-in verification to validate the identity of the account holder. Yahoo said the attack on its user accounts was coordinated and cybercriminals used an automated attack toolkit to gain access to the email accounts and then collect the names and email addresses in the victim's list of most recently sent emails.

"Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks," said Jay Rossiter, senior vice president of platforms and personalization products at Yahoo, in an statement last week. Rossiter said users should adopt better password practices by changing passwords regularly and using stronger password combinations.

Attackers could have gotten user information to help them carry out an attack from a variety of breaches over the course of 2013, according to managed services provider Solutionary, an NTT Group Security Company. In a blog post about the incident, Solutionary pointed to the massive Adobe Systems breach as potentially providing data.

"While it isn't yet known what data breach gave hackers access to the usernames and passwords, it is suspected that the lack of [differentiation] in username/password combinations between different programs and Web services is the reason why the hackers were able to gain access to the Yahoo accounts," according to Solutionary's blog post.

PUBLISHED FEB. 3, 2014