When Montrealer Hamid Shirdastian alerted tech company HP Inc. to a possible scam earlier this month, the company admitted to him it had been hacked, he told CBC — and then asked him for $100 to try to fix the problem.
"I think it was a completely wrong way to handle the case. It's really annoying that they knew they'd been hacked, but they wouldn't do anything to make it better," said Shirdastian, a PhD student in business administration at Concordia University.
In an email to CBC, HP Inc. said it was "aware of customer feedback alleging unauthorized information access" but refused to provide any more details.
It's not clear how many HP customers were affected, what data was leaked or how it happened.
Starts with phone scam
On April 5, Shirdastian said he started receiving several calls on his cell phone from a number he suspected was a scam front number.
After a few calls, he finally decided to pick up.
"The guy knew my name and introduced himself as an HP support technician. He knew all the personal information associated with my HP laptop," Shirdastian said.
The caller asked Shirdastian to provide more personal information so it could access his laptop and correct a problem. He suspected it was a scam and hung up.
HP admits hack, asks for money for fix
Shirdastian then called HP customer service.
"Their representative told me they'd been hacked. When I asked her if my laptop was in danger, she told me since my warranty was expired, I would have to pay $100 to check my unit," Shirdastian said.
Shirdastian said he then asked to speak to a supervisor, who told him the same thing.
"When I told him it's not my fault you've been hacked, it's your responsibility to make sure I'm safe, he said, 'No, you have to pay a hundred bucks,'" Shirdastian said.
No warning for customers
Shirdastian posted about his experience on Facebook, and an HP representative got back in touch with him.
He was told that since he did not give the scam caller any personal information, there was no need to do any further verifications.
Shirdastian said the HP representative told him that many customers had been affected by this data breach.
"She sent me a link about the case on their website. When I asked her why they didn't email it to all their customers, she said, 'That's not our procedure,'" Shirdastian said.
"They should have notified all of their customers about this," he continued.
HP Inc. emailed CBC the following statement:
"We are aware of customer feedback alleging unauthorized information access and associated fraudulent customer support calls and are actively investigating the matter. HP has alerted the proper authorities and has taken steps to share with our customers and provide them with guidance to protect themselves against customer support fraud. The security and privacy of customer information is essential to our business."
The company also referred CBC to a general statement on its customer support page.
HP Inc. has not responded to repeated follow-up calls and emails from CBC asking when and how the breach happened, how many customers were affected and why it didn't inform customers about the breach directly.