Cyber Incident Victim: Koodo Mobile
Date:
Feb 2020
Location:
Canada
Summary
A telecommunications provider experienced a data breach when an unauthorized third party accessed its systems using compromised credentials, stealing customer mobility account and telephone numbers. The stolen information appeared for sale on dark web markets, with over 21,000 accounts listed. Exposed data could facilitate mobile number porting attacks to intercept two-factor authentication codes, potentially compromising online accounts. The company implemented port protection to block unauthorized transfers and notified law enforcement and privacy regulators. Affected customers were advised to avoid using mobile numbers for authentication due to ongoing risks, including targeted SMS phishing attempts leveraging the breached information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 13, 2020, an unauthorized third party accessed Koodo Mobile’s systems using compromised credentials and copied customer data from August and September 2017. The stolen information included mobility account numbers and telephone numbers, though Koodo clarified that any information updated after 2017 remained uncompromised. The breach was disclosed via email notification to affected customers, which stated the attackers exfiltrated historical records but did not specify the total number of impacted accounts. Koodo Mobile, a subsidiary of Canadian telecommunications provider Telus, implemented ‘Port Protection’ on affected accounts to prevent unauthorized number porting—a tactic whereby attackers transfer phone numbers to devices under their control to intercept two-factor authentication (2FA) codes. This security measure required account holders to contact Koodo directly before authorizing any carrier transfer. The company reported the incident to Canadian law enforcement and the Office of the Privacy Commissioner of Canada, emphasizing collaboration with these entities during the investigation.
Evidence emerged that the stolen customer data was offered for sale on dark web markets, with cybersecurity firm KELA identifying over 21,000 Koodo accounts listed on one automated access-selling platform. Raveed Laeb of KELA noted a February 2020 surge in Koodo account uploads to these markets, correlating with the breach timeline. Despite asserting that Port Protection would neutralize fraud risks, Koodo’s notification advised customers against using their mobile numbers for 2FA authentication on online accounts, recommending alternative methods for receiving one-time passcodes. The company acknowledged that historical data breaches elsewhere could provide attackers with supplemental information to bypass Port Protection safeguards. Affected customers were alerted to potential SMS phishing (smishing) scams leveraging breached telephone numbers. Koodo did not disclose technical details about the compromised systems, credential exploitation method, or whether additional data categories beyond account and phone numbers were accessed. The breach notification process and Port Protection rollout occurred after the February intrusion but before March 6, 2020, when public reporting confirmed the incident.