Rogers yesterday released news that it was the victim of a social engineering hack. That’s when you get someone to hand over information that allow you to hack into a system. The hack resulted in this according to The Globe And Mail:
Patricia Trott, a spokeswoman for the Toronto-based Internet and phone provider, said a “third party” accessed a “single e-mail address of one of our enterprise sales employees, who managed a small number of medium business accounts.”
The breach occurred last week, she said in a statement Monday, and was due to “human error (not system error).”
Here’s how the breach was discovered:
Late Sunday afternoon, an anonymous Twitter user using the handle @TeamHans_ posted a link to a zip file containing copies of dozens of contracts for telecommunications services, as well as e-mail correspondence from the Rogers sales employee.
The contracts appear to relate to between 50 and 70 medium-sized businesses that were part of the portfolio managed by the employeewhose e-mail account was accessed. The contracts do not appear to contain payment or password information, but they do indicate the number of data or phone lines purchased as well as the amount spentby the business customers.
Rogers claims to have secured their systems, contacted police, and has alerted customers. That’s all good. Rogers also disclosed this quickly. That’s also good. But, it is clear that there needs to be training to stop social engineering hacks from occurring in the first place. Hopefully Rogers does invest in that training as I can say from experience that you can have all the firewalls, anti-virus, anti-spyware, and other digital defenses you want. But if your staff don’t know how to identify and react to a social engineering attack, it makes all of the other stuff meaningless.