Data breach at Canadian ISP Rogers: open database to blame

Rogers’ third-party service provider left an unprotected database open

Rogers data breach

Rogers data breach

Canadian communications and media company Rogers is in the process of notifying its customers about the data breach that affected their personal information. According to the notification published on the official ISP’s site, the intrusion was spotted on February 26th, 2020, and a third-party vendor is to blame. The statement claims that an unprotected database was left open on the internet for everybody to view, resulting in a data breach.

The notification on the official site stated:[1]

On February 26, 2020, Rogers became aware that one of our external service providers had inadvertently made information available online that provided access to a database managed by that service provider. <…>

We sincerely apologize for this incident and regret any inconvenience this may cause.

Rogers states that it immediately shut down access to the database and began the investigation. Additionally, the company began to notify the affected customers individually via email or other means of communication.

Rogers Communications Inc. is one of the largest IT and television service providers in Canada, located in Toronto. Established in 1960, it currently serves more than 10 million wireless subscribers[2] and employs around 26,000 people. Currently, it is unknown what percentage of the customer base was affected by the data breach.

No sensitive information was located in the compromised database

While there is no information provided about the number of the affected customers or whether malicious actors somehow misused the accessed data, Rogers said that, luckily, no sensitive information was present on the affected database, which includes the passwords, credit card details, or banking information.

Nevertheless, the ISP claimed that some personal details were included in the database, such as:

  • Names
  • Emails
  • Phone numbers
  • Account numbers

While this data is not critical, the affected people could be targeted by cybercriminals in phishing attacks – pretend to be from the ISP with the help of stolen information. This could result in unforeseen financial losses or further personal data compromise.

Rogers promised compensation and said that each of the affected victims would be provided with a TransUnion credit monitoring subscription, as well as port protection for the affected phone numbers (the latter prevents a phone number from being transferred to another carrier without permission). Additionally, the affected accounts will be subject to additional security checks during the login process.

Leaky database incidents will continue – companies must improve their cybersecurity practices

A data breach is not a pleasant event neither for the company responsible or the victims of data exposure. It puts customers at risk of being abused by targeted phishing attacks, and companies have to pay the recovery fees or even fines for inadequate security practices. Without a doubt, the IT staff at each company should make sure that no such database that includes customer data would be exposed in the first place. Unfortunately, in practice, many missteps happen quire often.

It is not the first time when the company suffered a data breach, however. In 2015, a social engineering attack was used against one of the company’s employees, which resulted in 456MB data dump theft. It included customer information, as well as emails and other data related to medium business accounts.[3]

Leaky databases are not an uncommon occurrence, as even high-profile organizations manage to fail to safeguard customer data. Previous instances involve companies like smart tech developer Wyze,[4] Indian airline SpiceJet, porn site Luscious, medical imaging service provider NextMotion,[5] and many others.