Tristan Peloquin reports: Telus customers who were victims of SIM card scams are sounding the alarm on apparent flaws in the company’s security systems. An employee of its discount subsidiary Public Mobile even told a customer that the service she uses is “more at risk than others” because she pays less. “If you pay for a discount service, we’re not going to invest as much in the system. You’re not going to invest millions when you have customers paying $5, $10 or $15 a month and it’s not profitable. At the end of the day, it’s a private company.“ This is a transcript of what a Telus representative in charge of customer data protection told Public Mobile customer Annie Montplaisir last March, a few days after Montplaisir’s phone was hacked. Read more on the Toronto Star. There’s a certain amount of truth to “You get what you pay for,” but this harsh dose of reality was unpalatable to many — so much so that that Telus apparently tried to distance itself from its own employee’s statement: Telus told La Presse the company had conducted an internal investigation following the statements. “Public Mobile is a very important brand for us. To say that we are not investing in it is absolutely false,” said Jim Senko, president of the company’s Mobility Solutions team. “This is our fastest growing subsidiary, and we have spent a lot of money to improve its security,” he said, adding that more advanced verification measures had been implemented since the scam that affected Montplaisir. For example, it is no longer possible for hackers to make SIM card changes entirely online on the Public Mobile site, as in Montplaisir’s case. Any criticism isn’t just falling on Telus. It is also falling on an agency that was supposed to serve the public interest. The CRTC is “lethargic,” according to an expert. “Lethargic” may be putting it diplomatically as at least one privacy advocate has often criticized the CRTC as being more of a handmaiden or sell-out to the telecoms instead of diligently protecting consumers. Even now, La Presse reports: The CRTC announced on Wednesday that it would release some information illustrating the “data trend” related to the phenomenon on July 8, but no specific details about each vendor will be made public. The agency declined to answer La Presse’s questions for this report. Why not? Why won’t it name names and be more transparent? WHO is CRTC really serving when it withholds information from the public? And what is the Privacy Commissioner’s office doing? It’s all well and good to have a reputation for politeness. It’s neither all well nor good to roll over and let telecoms amass massive amounts of consumer data that they then use to make more profits while failing to provide adequate security for it. Where is the rigorous audit and investigation by the government and action by those responsible for protecting the public?