Mounties charge Quebec teen for hacking Bell customer data, posting it online
It looks like a member of NullCrew has been arrested. The Canadian Press reports:
The Mounties have charged a young offender in Quebec after the user names, passwords and credit-card information from some of Bell Canada’s small-business customers were posted online.
The RCMP say they started investigating after one of Bell’s third-party IT suppliers was cyberhacked.
As a result of the hacking, investigators say, 22,421 user names and passwords and five valid credit-card numbers were displayed for anyone to see on the Internet.
A young offender, who cannot be identified because of his age, was arrested at a Bagotville, Que., residence early Friday and charged with one count of unauthorized use of a computer and two counts of mischief in relation to data.
Police said the accused is believed to be a member of a hacktivist group NullCrew, alleged to be responsible for hacking into computers of businesses, schools and government agencies.
The youth is scheduled to appear in Ottawa court Aug. 19.
Read more on Globe and Mail.
Amazed Canuck - June 13, 2014
That kid (if they caught the right kid) opened up a lot of eyeballs.
-Showed failings in security connected to Bell’s IT
-Showed failings in passwords being in the clear
-Showed failings on data being retained beyound which is required.
-Should failings in Bell’s 3rd parties that Bell is responsible for.
-Showed failings in Bell training, and more.
It got the attention of many, and this wasn’t a very big hack, nor was it big data for sale. Even then, the whole data dump looked as if it was held back and we only got to see some of it.
Bell should be slightly thankful for this kid showing some minor failings that their own security professionals never caught on to, and it should have had them looking over security scenarios to prevent this type of thing from happen again.
All in all, Bell got an small embarrassment due to this. And if I recall right, Even Bell stated the 5 CC’s that were leaked were expired.
Bell and/or the crown should go easy on the kid. Bell itself got to learn something from this, and hopefully Bell will now take the privacy of its’ customers seriously and actually audit what is connected to their infrastructure (which clearly they haven’t), and audit their 3rd parties with regards to PIPEDA and the data these 3rd parties are hoarding in perpetuity on people which goes beyound what is required by Revenue Canada for tax purposes.
It could have been worse.
No matter the outcome, the kid opened the eyes of everyone, and for the betterment of everyone. Bell included (though the faceless multi-billion dollar corporation with lax security may disagree). Hopefully they go easy on the kid.
Just being transported from French Quebec to English Ottawa for a court date is likely making the kid freak enough as it is.