Koodo Suffers Data Breach: Customer Information Being Sold By Hackers

Canadian mobile carrier, Koodo, has suffered a data breach. Customer information of the Telus owned carrier is being sold on the dark web.

Koodo Mobile is admitting that they are victims of a data breach. In February of 2020, the Telus owned carrier was hacked and had customer information from 2017 stolen. The hackers have taken the data and are now selling it on the dark web. From Bleeping Computer:

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

“What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised,” the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker’s devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

“A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.

“As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February,” Laeb explained.

So, the next question is, what recourse do customers have? This is something we’ve been monitoring quite extensively here on Freezenet. After Lifelabs suffered from a data breach, customers began filing class action lawsuits against the company. One lawsuit was filed in Toronto while the other was filed in BC. So, if customers feel that enough wasn’t done to protect their data, that is one method they can take.

Some might ask whether or not there is anything regulators do. After all, Canada has a number of privacy commissioners. Well, you may want to not count on that. Outside of publishing a strongly worded letter, they are effectively powerless to really do anything meaningful these days. When Facebook had their privacy scandals, two commissioners went after Facebook, trying to convince the company to change how they manage private information. In response, Facebook effectively blew off the commissioners report and subsequent demands and second report. At that point, the commissioners literally ran out of tools in the chest to hold Facebook accountable. So, the commissioners took things into their own hands and, as private citizens, sued Facebook in court.

In fact, recently, LifeLabs sued the privacy commissioners for having the audacity to try and carry out an investigation into the aforementioned data breach. So, not only do the privacy commissioners not have the power to fine companies who break the law, but some companies are emboldened to the point of attempting to block their investigations in the courts at this point.

Another angle is whether or not the Canadian government intends on fixing the situation. The answer is a very likely “no”. In fact, during a committee meeting in late February, the government was asked by opposition members what the privacy implications of NAFTA 2.0 were. In response, the government essentially shrugged and said, “I dunno. Why? Is privacy important or something?” So, for many, that can easily be taken as a sign of how the government prioritizes Canadian privacy at this point.

So, from an international standard, Canada is gradually becoming the laughing stock of the world. This is because if Canadians want any recourse, they’ll have to take the separate companies to court themselves rather than relying on regulators or the government to enforce Canadian privacy laws.

For Canadians, this is yet another data breach. At least we know more precisely what options Canadians have in the first place. Those options are: “lawsuits and hope for the best or nothing”. No one else is really looking out for you, so it’s every man for themselves as far as the Canadian system is concerned.

(via ITWorld Canada)

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top