Canadian communications giant Telus is investigating whether crooks have stolen employee data and its source code, all of which is being offered for sale on a criminal forum.
“We are investigating claims that a small amount of data related to internal Telus source code and select Telus team members’ information has appeared on the dark web,” Telus spokesperson Richard Gilhooley told The Register. “We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”
A miscreant who goes by “Seize” claims to have exfiltrated the Telus data, and is offering it for sale on BreachForums, according to screen shots shared with The Register.
In one post, the crook offers 76,000 unique employee emails plus “internal information” linked to those staff scraped from Telus’ API. The price on this dataset is listed as “negotiable,” and will only be sold to one individual.
In another post, Seize offers an email database for $7,000 that includes every Telus employee’s email, a payroll database for $6,000 with 770 staff records — including the Telus president’s info — and finally, all of Telus’ private source code and GitHub repositories including the SIM swap API, for $50,000.
It’s “important to note that, at this point, we don’t know whether the data is legit,” Emsisoft threat analyst Brett Callow told The Register.
“From the perspective of Telus’ customers, probably the biggest concern is what could be done with the repos — the SIM swap API, for example,” he added.
A criminal could potentially use this code to transfer the victim’s phone number to an attacker-controlled device, allowing the interception of one-time security codes to hijack the victim’s other online accounts. In the past this has necessitated fooling or bribing telco staff, but with open code out there some scumbag could steal with more ease.
In 2020, another Telsus-owned company, Medisys Health Group, was the victim of a ransomware attack during which crooks stole personal information belonging to about 60,000 clients.
That incident hit about 5 percent of the company’s customers, and included names, contact information, provincial health numbers, and test results. Financial information and social insurance numbers were not stolen in the attack, the company said at the time.
And just last month another carrier, T-Mobile US, admitted a data breach in which someone abused an API to download personal information belonging to 37 million subscribers. This was the network operator’s sixth security snafu in five years. ®