British Columbia·Updated

Telus internet accounts vulnerable, hacker says

A man who hacked into thousands of Telus internet accounts in B.C. says has told CBC News he got in to thousands more accounts than the company acknowledges, and says the security flaw allowing him access still hasn't been patched.

Company acknowledges November breach but says security flaw now fixed

A hacking attack on Telus internet customers in British Columbia in November might have been far bigger than the telephone company acknowledged, affecting possibly tens of thousands of customers, CBC News has learned.

The online assault affected at least 6,600 Telus residential customers throughout the Lower Mainland, Vancouver Island and the B.C. Interior.

But the hacker himself says he might have affected as many as 30,000 customers in what he claims was a demonstration to expose a weakness in Telus security — a weakness that he claims still has not been fixed.

"The attack was possible because of the security flaw in the routers and Telus's approach to security," said the 20-year-old hacker in a YouTube posting.

In the posting, he wore a mask similar to that worn by other hackers associated with the loosely affiliated international group called Anonymous.

According to an RCMP search warrant, the hacker cut off wireless internet service for some customers starting Nov. 25. He breached Telus security through Siemens model SE567 wireless routers supplied to many of the company’s customers — routers that the hacker claimed allowed him to take control of the settings.

Customers suddenly couldn't log-on and saw a message that said, "The RCMP are corrupt. Signed, LOLGGNoRe."

Karen Ann Markmann, one of the affected Telus customers, said she’s been concerned that the hacker could access her system, calling it, "a serious breach."

"I was fairly worried that someone close by had hacked into my router. So I turned everything off," Markmann said.

Attack downplayed

Telus at first tried to downplay the hack, telling customers the company was trying to implement a technical update when a glitch occurred.

Telus now admits it was hacked, calling it "vandalism," but emphasized that no personal customer information was stolen.

Telus customer Karen Ann Markmann said she's concerned that her private information is vulnerable if anyone can hack into her internet account.

In December, the hacker took part in an online forum, posting that, "Telus has abused their customers far too long, opening unpatchable holes."

He also complained about the RCMP.

"The RCMP in this country have too long been allowed to run unchecked," he wrote. "Do not try to find me, you will fail."

But the RCMP was able to find the alleged hacker, who was using the same online name on war gaming sites that he used in the Telus attack. His real name was allegedly found elsewhere on the gaming site.

The RCMP says the same man is also a suspect in a hacking attack in 2011 in which in which the passwords of 180,000 car pool customers were stolen and the website’s database was destroyed.

No charges have been laid.

As recently as Monday, the hacker said Telus had not patched the security hole in its system that allowed him access in November.

"The security flaw … is still here to this date. Tested as of Monday, February 27th, 8:30 p.m. Thank you."

Telus says the hacker is mistaken and the flaw has been fixed.


With files from the CBC's Eric Rankin