Canadian police investigating ransomware attack on Bell subsidiary after employee data stolen

Bell Technical Solutions — a subsidiary of multibillion-dollar telecommunications giant Bell Canada — announced a data breach after a ransomware group added the company to its leak site on Thursday.

A Bell spokesperson told The Record that Bell Technical Solutions servers containing “operational company and employee information” were involved in a recent cyberattack. 

Bell Technical Solutions is in charge of installing Bell services — like telephones, WiFi and cable — for residential and small business customers in Ontario and Québec.

An unknown number of customers who booked technician visits also had their names, addresses and phone numbers leaked during the incident.

“We took immediate steps to secure affected systems and we want to assure our customers that no database containing customer information such as credit and debit card numbers, banking or financial data was accessed in the incident,” the spokesperson said. 

Bell Technical Solutions added that devices such as modems or set-top boxes were not impacted by the attack. 

The spokesperson did not respond to questions about whether the incident was a ransomware attack and would not say how many people were affected by the incident. 

The Hive ransomware group added the company to its leak site on Thursday, claiming to have launched the attack on August 20.

In a statement posted to the Bell Canada website, the company said it plans to notify the customers who had their information accessed but noted that Bell Technical Solutions operates on its own IT system separate from Bell and any of its other subsidiaries.

Third-party cybersecurity experts were hired to help with the recovery process. The cyber crime unit of the Royal Canadian Mounted Police have been contacted about the attack and the company said it notified Canada’s Office of the Privacy Commissioner to inform them of the incident. 

In its notice, the company warned customers to be wary of “unsolicited communications” asking for personal information and said they should look through their accounts to watch for “suspicious activity.”

Hive continues to be one of the most prolific ransomware gangs operating, accounting for more than 150 attacks last month, according to data from Recorded Future.

Hive has been active since June 2021 and is known for being one of the most aggressive financially-motivated cybercrime organizations, frequently targeting U.S. healthcare systems, according to the FBI.


A graph of ransomware activity in August. (Recorded Future)

Hive reportedly breached more than 350 organizations over a four month period, though only a small number of them have had their data leaked, suggesting most victims pay the ransom.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.