On Oct. 23, 2018, a man pretending to be me called my cellphone provider and asked for help activating a new SIM card. After taking two unsuccessful stabs at my four-digit PIN, he was eventually able to gain access to my account with just three pieces of information: my postal code, my date of birth and my approximate account balance, which he was able to guess within $2.
During the call, which lasted a mere four minutes and 20 seconds, the impersonator was able to link my phone number to a SIM card in his possession. He then proceeded to request password reset codes that allowed him to gain access to my e-mail, Facebook and Dropbox accounts.
I know all of this because I was able to obtain a copy of the call transcript from my telecom provider under Canada’s Personal Information Protection and Electronic Documents Act, also known as PIPEDA. (Individuals can request access to their own personal information under clause 4.9 of schedule 1.)
But what I didn’t know – and, as a journalist, was dying to learn – was how often others were falling prey to this type of fraud.
In 2019, Canada’s telecom regulator started gathering statistics from wireless carriers on the frequency of SIM swaps and fraudulent ports.
SIM swaps – the type of attack that I had experienced – involve a scammer calling the customer’s wireless provider, claiming that their phone is lost or stolen and asking to link the victim’s number to a new SIM card. In a fraudulent port, the scammer transfers, or “ports,” the customer’s phone number to a new account at a different wireless carrier.
The Canadian Radio-television and Telecommunications Commission (CRTC) wasn’t publicly releasing its phone-number fraud figures, so I requested the data through an access to information request in July, 2020.
About a month later I received a response. One chart appeared to list the number of unauthorized SIM swaps in each month between August, 2019, and May, 2020, at each carrier, as well as across the industry. Another provided the same figures for unauthorized ports. Unfortunately, all of the numbers contained within both charts were completely redacted – including the aggregate figures for the sector as a whole.
In order to redact the information, the CRTC had relied on several exemptions under the act, including section 20(1)(c), which allows for information to be withheld if disclosing it “could reasonably be expected to result in material financial loss” to a third party.
I could see how releasing individual carriers’ data could have a negative effect on their businesses. But redacting the aggregate figures for the industry felt like an overreach, particularly considering the public safety issue at hand. (Some people have lost significant sums of money because of phone-number fraud.)
When I reached out to the CRTC for an explanation, I was told that the aggregate figures were being withheld because they had been collected as part of a proceeding on the topic of phone-number fraud under way at the commission.
Dissatisfied with this answer, I made my case in a complaint to the Office of the Information Commissioner of Canada. I knew this would be a lengthy process, but it was worth a shot.
A year later, I received another e-mail from the CRTC.
“After consultation with the Office of the Information Commissioner of Canada (OIC), we are pleased to inform you that we have reviewed our recommendation,” the regulator wrote.
In order to resolve the complaint, the CRTC had agreed to unredact the bottom row of each of the two charts, revealing the industry-wide totals for both SIM swaps and port frauds.
The data provided the first glimpse into the prevalence of phone-number fraud in Canada. What it showed was that 24,627 unauthorized number ports and SIM swaps had occurred during the 10-month period. In the case of customer transfers, or ports, that meant nearly 1 per cent of those that took place during that time were unauthorized.
As I later learned through a follow-up access request – in which I asked for information relating to the handling of my initial request and of my complaint to the OIC – the CRTC had initially used multiple arguments to try to justify redacting the data.
It told the OIC that the figures had been filed in confidence with the commission, that the proceeding on the topic precluded making the data public and that releasing them would be harmful to the industry.
But the deputy commissioner at the OIC told the CRTC that if it wanted to maintain the redactions, it would have to provide “excellent submissions” to demonstrate that the exemptions were indeed relevant.
In the end, rather than continue to press the issue, the CRTC relented.
“I followed up with the concerned people here at the CRTC and I managed to convince them to make a second disclosure with the modifications discussed,” the agency’s deputy director of information management wrote in an e-mail.
The CRTC also expressed surprise that I was willing to settle for just the industry totals. Apparently it had assumed I wanted the totals for each carrier, as well – data that the OIC concluded had been rightfully exempted.
Appeals can take a long time to work their way through the system, but they can be worthwhile. Sometimes, the department that holds the information you’re seeking will agree to a compromise in order to avoid having to make detailed, convincing representations to the Office of the Information Commissioner.
Since being SIM swapped, I’ve also taken steps to protect my online accounts. Seeing the messages that my impersonator had sent my loved ones in a (thankfully) futile attempt to extract money from them was both eye-opening and creepy. The safety measures I’ve put in place should ensure that no one is able to gain access to my accounts through this method ever again.
We’d love to hear about how you’re using Secret Canada. Send us a note or use the hashtag #SecretCanada on social media. This information helps us grow the project.
To stay updated on FOI news, upcoming data releases and new features, sign up for The Globe’s Secret Canada newsletter.