Calgary

Shaw notifies customers of data breach nearly 6 months later

Some Shaw customers were notified last week that their information may have been compromised in a June data breach.

Calgary-based company recommends customers change their password, set up 2-step verification

A Shaw customer shared this letter with CBC, which notifies them of a June 22 data breach. (Submitted)

Some Shaw customers were notified last week that their information may have been compromised in a June data breach.

A letter sent to customers said on June 22 a laptop belonging to a Shaw employee was stolen, and the theft was reported to police. 

Shaw said the computer had documents with "a limited amount of customer information — including customer names, account numbers, a list of services they subscribe to with Shaw and whether the accounts are active or closed." It did not say how many current or former customers were affected.

The documents didn't include any financial information like credit card numbers or personal identifiers like date of birth, the company said, and there's no evidence that any of the stolen information has been misused.

The Calgary-based company recommended customers change their password and set up two-step verification on their account.

"Since the incident, we have implemented additional measures to secure our corporate devices.… We care about the privacy and security of your personal information and protecting it remains our top priority," the letter read.

The letter was sent to a "very small" number of affected customers, the incident was quickly reported to law enforcement and an internal investigation took several months to conclude, the company told CBC News in an emailed statement.

When asked exactly how many customers were affected and why it took six months before they were notified, Shaw repeated that a "small number of customers" were affected and said the scope of the company's investigation was complex.

Earlier this year, Shaw-owned Freedom Mobile had a data security breach that affected 15,000 customers.

Businesses are required by federal law to report any security breaches that involve personal information that pose a risk of harm to the Office of the Privacy Commissioner of Canada. Between November 2018, when that law went into effect, and October 2019, 680 breaches were reported. 

An OPC spokesperson confirmed the office is in contact with Shaw but said due to confidentiality provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) it's currently unable to offer further details.

Shaw confirmed that it filed a preliminary notification to the OPC on Aug. 6.