It looks like a member of NullCrew has been arrested. The Canadian Press reports:
The Mounties have charged a young offender in Quebec after the user names, passwords and credit-card information from some of Bell Canada’s small-business customers were posted online.
The RCMP say they started investigating after one of Bell’s third-party IT suppliers was cyberhacked.
As a result of the hacking, investigators say, 22,421 user names and passwords and five valid credit-card numbers were displayed for anyone to see on the Internet.
[…]
A young offender, who cannot be identified because of his age, was arrested at a Bagotville, Que., residence early Friday and charged with one count of unauthorized use of a computer and two counts of mischief in relation to data.
Police said the accused is believed to be a member of a hacktivist group NullCrew, alleged to be responsible for hacking into computers of businesses, schools and government agencies.
The youth is scheduled to appear in Ottawa court Aug. 19.
Read more on Globe and Mail.
That kid (if they caught the right kid) opened up a lot of eyeballs.
-Showed failings in security connected to Bell’s IT
-Showed failings in passwords being in the clear
-Showed failings on data being retained beyound which is required.
-Should failings in Bell’s 3rd parties that Bell is responsible for.
-Showed failings in Bell training, and more.
It got the attention of many, and this wasn’t a very big hack, nor was it big data for sale. Even then, the whole data dump looked as if it was held back and we only got to see some of it.
Bell should be slightly thankful for this kid showing some minor failings that their own security professionals never caught on to, and it should have had them looking over security scenarios to prevent this type of thing from happen again.
All in all, Bell got an small embarrassment due to this. And if I recall right, Even Bell stated the 5 CC’s that were leaked were expired.
Bell and/or the crown should go easy on the kid. Bell itself got to learn something from this, and hopefully Bell will now take the privacy of its’ customers seriously and actually audit what is connected to their infrastructure (which clearly they haven’t), and audit their 3rd parties with regards to PIPEDA and the data these 3rd parties are hoarding in perpetuity on people which goes beyound what is required by Revenue Canada for tax purposes.
It could have been worse.
No matter the outcome, the kid opened the eyes of everyone, and for the betterment of everyone. Bell included (though the faceless multi-billion dollar corporation with lax security may disagree). Hopefully they go easy on the kid.
Just being transported from French Quebec to English Ottawa for a court date is likely making the kid freak enough as it is.
You seem to go out of your way to blame everyone but the kid. What you describe about Bell really applies to just about any data leak/hack that has occurred anywhere.
I agree, it appears that relatively little “harmful” data was released in this incident. But try telling that to the people whose data was in that unfortunate batch. Face it: even if the CCs were expired, most banks simply extend the same CC numbers upon renewal, so those numbers are still useful. And so is this data. Which means unnecessary headaches for those victims, not for Bell.
As for Bell — or any other organisation that’s hacked — there’s seldom any shame or embarrassment. After all, “it’s just the cost of doing business,” right?
Until there are much more harsh consequences for organisations that practice poor data security (e.g., massive government fines and/or sanctions, plus reparations to the victims), there’s little likelihood that anything will change.
As for this kid, the fact that he’s a kid means he’ll likely get little more than a slap on the wrist. Maybe that’s appropriate for “a kid,” but surely (s)he knows right from wrong, and it’s a distinct possibility that he’ll be back again.
“You seem to go out of your way to blame everyone but the kid.”
Perhaps I have, and am.
As a kid i’ve played with exploits (a lot) and exploited entities. I would paste proof and boast about it. Personally I think it’s part of being a kid, a kid who is really into computers and seeing what one can do for “fun”. I mean, I didn’t see anything really malicious here with this breach, or the data used for alternative purposes.
Were there victims? Yeah. Bell had to spend money to notify people. People maybe took the time to call PrivCom, their CC company and maybe change passwords (maybe, keep in mind, a lot of the data was hoarded data with long ago outdated accounts. Old data that was just sitting there for no reason).
I’m sure the bean counters can come up with a cost in the millions for this. But should such a simple exploit and outdated software that is holding tens of thousands of peoples info not have been audited for security (and payment transactions), even if a 3rd party?
If it wasn’t this kid, it could have been someone else looking to find info to sell on the black market. This was an accident waiting to happen since it went unnoticed and unchecked.
Do I think he should get a slap on the wrist? Yup. The trip to an Ottawa court room would be punishment enough. You called me out right.
Do I think Bell should get a slap on the wrist? Nope.
Bell is in the business of hoarding data (more than what they should). What this went to show (to me anyhow) is that Bell doesn’t have control in securing what is connected to their own Bell.ca domain, securing their customers’ info, auditing for compliance, checking 3rd party compliance who sell on their behalf (or form part of a service), and training front-line people.
However, Bell did take responsibility for the data and the data breach by this third party, as they should have.
“You seem to go out of your way to blame everyone but the kid.”
Yup. I am. Kid played. Kid found something. Kid got excited. Kid got his 5 minutes of glory and gloat. Kid (or someone) told Bell. Bell blew him/them off.
Bell Security, and the tens of thousands of peoples private info, got taken by a kid.
And yeah, this type thing does apply to many others like you stated. But in this case it seems they held back on the data dump (at least that what it appears to be), and also didn’t just say nothing and try and sell the data or CC’s. So maybe some thought about right and wrong went into this and it was actually just for the “LuLz”. Sure many breaches are like this, but I don’t think every breach ends the same though. …Maybe i’m wrong.
I always get a chuckle when they say ‘we caught an underage minor’ h4ck3r1ng data.
Next we will learn that the RCMP or Bell Security will end up offering the kid a j0b cuz he is such a l33t h4ck3r – and that he is bilingual – and that he r4tt3d out all his leet underground fellow script kiddies to cut a deal with the Crown.
Actually, Laffer, I have zero doubt this kid is going to be raked over the coals for exposing what should not have been exposed. And that is data retained beyound its intended purpose, and just plain retained for no reason by 3rd parties (among other things).
Have you seen the headlines? RCMP is making out like they caught an economic terrorist. “Cyber”-terrorist doing “Cyberhacks” which affects the economic health of Canada.
Why doesn’t the RCMP say it like it is? “A kid nailed Bell Canada for faulty security and not respecting PIPEDA (among other things). Did the RCMP really get their man?
Wouldn’t surprise me if Bell and/or the RCMP ask that this court case be gagged. It will be one to keep an eye one for sure.