Koodo data breach exposes account and phone numbers

An email from the carrier warned affected customers

Some Koodo customers are receiving emails from the carrier notifying them of a recent security incident.

According to the email, an unauthorized third-party was able to access Koodo’s systems on February 13th using compromised credentials. Further, the third-party copied data from August and September 2017 that included some customers’ account numbers and telephone numbers.

The Telus flanker brand said in the email that it’s “possible that the information exposed has changed since 2017, in which case [users’] current information is not compromised.”

Further, Telus offered the following statement to MobileSyrup about the incident:

“Our investigation has determined that some archived customer data from 2017 has been accessed by an unauthorized user. We are proactively reaching out to impacted customers and offering them enhanced security safeguards such as telephone port protection. As soon as we discovered the incident, we took immediate steps to protect our customers and are continuing to monitor the dark web. Additionally, we have notified law enforcement and the Office of the Privacy Commissioner, and will continue our own internal investigation.”

In response to the breach, Koodo says it “acted quickly to prevent further unauthorized access.” The carrier also notes that some customers could be at risk of unauthorized number porting. In other words, a fraudster could use the compromised information to gain control of a customer’s phone number by moving it to another carrier, allowing the fraudster to receive that customer’s calls and texts.

Koodo says that it applied ‘port protection’ on all vulnerable accounts, which requires a customer to call the carrier before they can port the number. Finally, Koodo notes that customers can call in to remove port protection if they so choose.

Because of this, Koodo recommends customers don’t use their phone number for security services such as two-factor authentication (2FA). Further, Koodo advises customers who have 2FA set up with an affected phone number to use an alternate security feature as a third-party that obtained compromised account details could potentially use it to intercept 2FA codes and gain access to accounts secured in this way.

Additionally, a post on Koodo’s community forum notes that the carrier is still investigating the breach and directs customers with security concerns to call the carrier at 1-866-995-6636.

Telus also told MobileSyrup that it will notify all customers who were possibly impacted by the breach. The carrier says the majority of those affected had only one or two “non-sensitive data elements compromised.” Further, Telus assessed about 50 customers as being at risk of harm and has taken appropriate steps to protect them. About 900 customers and 300 former customers had “some other form of information exposed” that doesn’t appear to put them at a “real risk of significant harm.” Regardless, Telus says it plans to inform those customers of the breach as well.

Update 03/07/2020 at 8:08am: Telus shared details on how many users were impacted by the breach, which have been added to the story.