Thursday, April 25, 2013

Data Breaches And Corporate Karma


Today I was doing some basic research to gauge security at the big three telco companies in Canada.  The whole point of this research was to gauge whether any of them proactively look for customer data breaches on the Internet and then act on taking these information breaches down once they're discovered.  

I started with Bell Canada.  Naturally, as soon as I found a data breach, I reported it to Bell Canada - not for their sake, but for the sake of the customer who hasn't been protected. I then added a notch to my count of known issues. 

As the easiest way for me to report it is over twitter, I converted the credentials to their "One Bill" number and passed it to Bell Support.  That way, Bell knows who the customer is, and I'm not further leaking or spreading the information that's already out there.  As soon as Bell Canada gets the customer's password changed, it's no longer a threat.

However….  Anyone that's phoned Bell Canada will know this phenomenon: You get asked to punch in the phone number on the keypad, hang around on hold and then the first question the support person asks you is for the same number you already punched in earlier.  In the case of Twitter, I provided an acct number that's uniquely identified within Bell Canada, and they wanted yet more information.  I simply wasn't about to hand over her name and phone number too as that would be a public breach.

Anyway, as for the breach location, I'm treating Bell Canada as they treated me when I asked them who they leaked my info (Bell's stance is documented here) and so they're now stuck up breach creek without a paddle, too.