Data Breaches

Rogers and Freedom Mobile Hit by Major Data Breaches

The CyberSignal

The CyberSignal

2 min read
Telecommunications tower emitting signals disrupted by cyberattack, with a cracked database leaking data, illustrating network breach and infrastructure vulnerability.

Canada’s telecommunications landscape is reeling from a series of high-profile security incidents as both Rogers Communications and Freedom Mobile confirmed separate data breaches affecting thousands of customers. The sequential nature of these attacks has raised urgent questions regarding the systemic resilience of the nation’s critical communication infrastructure and the security of subscriber PII (Personally Identifiable Information).

Rogers and Fido: The Scope of Exposure

On March 28, Rogers Communications—including its subsidiary brand Fido—confirmed a breach involving unauthorized access to a database containing customer information. While Rogers stated that banking and password data remained encrypted, the exposed fields reportedly include names, addresses, phone numbers, and account details.

The company has begun notifying impacted users, advising them to remain vigilant against phishing attempts. "We are working with external cybersecurity experts and law enforcement to investigate the full extent of this unauthorized access," a Rogers spokesperson stated, emphasizing that core network services remained operational throughout the incident.

Freedom Mobile: Quebecor Confirms "External Attack"

This announcement follows a mid-March disclosure from Freedom Mobile, owned by Quebecor Inc. The Freedom breach appears to have stemmed from an attack on a third-party server, exposing a similar subset of customer data.

Industry analysts at The Globe and Mail note that these dual breaches highlight a growing trend where attackers target the expansive supply chains and third-party vendors utilized by major carriers. The proximity of the two incidents has prompted the Office of the Privacy Commissioner of Canada to monitor the situation, as the telecom sector remains a top-tier target for sophisticated threat actors seeking to harvest data for identity theft and SIM-swapping campaigns.

Industry Fallout and Regulatory Pressure

The back-to-back compromises have reignited debates over the Telecommunications Act and the proposed Bill C-26, which seeks to bolster cybersecurity across federally regulated sectors. Critics argue that the current penalties for data mismanagement are insufficient to drive the necessary investment in proactive defense-in-depth strategies.

As the investigation continues, Rogers and Freedom have both committed to offering identity monitoring services to affected customers. However, the reputational damage and the potential for secondary "smishing" (SMS phishing) attacks remain a significant concern for the millions of Canadians relying on these networks.

Primary Intel & Reports: iPhone in Canada, MobileSyrup, The Globe and Mail

The CyberSignal Analysis

The Rogers and Freedom incidents represent a "double-tap" on Canadian digital trust, illustrating that even the largest national carriers are vulnerable to perimeter failures.

  • Third-Party Risk (TPRM): The Freedom Mobile breach underscores the reality that an organization’s security is only as strong as its weakest vendor. For CISOs, this is a mandate to move beyond "point-in-time" audits toward continuous monitoring of third-party environments.
  • The PII Goldmine: Telecom data is uniquely valuable for social engineering. With access to account numbers and phone details, attackers can bypass MFA via SIM-swapping or craft highly convincing phishing lures.
  • Operational Takeaway: Carriers must prioritize Data Masking and Zero Trust Architecture for their back-end databases. If the data is not strictly necessary for the current transaction, it should remain encrypted or tokenized to minimize the "blast radius" of a breach.

Read more