Phone Retailer Boost Mobile Announces a Data Breach Two Months After It Happened
The Boost Mobile brand was brought to the US nearly eighteen years ago. Since then, the phone retailer and telecommunication service provider has invested enormous sums of money into marketing efforts, and it now bills itself as the company that provides "the best unlimited plans with no annual service contracts." It's difficult to say how many people are using Boost Mobile's services, but it's fair to say that the number probably isn't insignificant. These people might not be very happy to learn that Boost Mobile suffered a cyberattack recently. They will probably be even more upset about the way the company reported the incident.
Boost Mobile got hit by hackers
According to a notification posted last week, on March 14, Boost Mobile's IT people noticed unusual activity on the company website. After a brief investigation, they found out that hackers were using phone numbers and PIN codes to gain unauthorized access to unsuspecting customers' accounts. Once in, the crooks had the chance to get to some personal information as well as change users' plan and accounts settings.
As soon as they discovered the attack, Boost Mobile's IT specialists implemented a "permanent solution". Users have received a text message with a temporary PIN code and a link through which they can reset it. Although the nature of the exposed information was not disclosed, the notice was furnished with a generic-looking list of steps that you need to take if you suspect that you've been a victim of identity theft.
More than a few questions are left unanswered
The more observant among you have probably noticed that the incident took place a little over two months ago, and yet the data breach notification was posted last week. This is not that uncommon. In fact, sometimes, data breaches remain unreported for months or even years simply because the targeted companies don't know about them. With Boost Mobile, however, things are a bit different. Its IT team noticed the attack as it was happening, and they apparently fixed it immediately. In light of this, it becomes rather interesting to learn why it took the telecom provider close to two months to issue an official notice.
Speaking of the official notice, given that they had so much time to prepare it, some of the obvious errors in it seem rather peculiar. It says, for example, that the unauthorized access activity was observed on "Boost.com". Boost.com is the website of a Nestlé -owned brand of nutritional drinks which has nothing to do with Boost Mobile. The people writing the notice probably meant Boostmobile.com.
This is the least of the statement's problems, though. For one, it gives us no clue as to how many users are affected. The fact that the data breach notice was also filed with the State of California suggests that no fewer than 500 residents of The Golden State might have had their accounts exposed, but that's about as much as we know.
Boost Mobile's team also said that the unauthorized access was enabled by correct phone number and PIN code combinations, but they failed to say how the hackers got their hands on the credentials. Did they guess them? Did they phish them? Or was Boost Mobile's security breached? The answers are nowhere to be seen. We have no way of knowing how "permanent" the "permanent solution" is, either, because we have no idea what the provider did exactly.
This is not the first time we've seen a company struggling with the matter of reporting a data breach. The notices of even the biggest names in the technology industry like Amazon aren't always as informative as they should be which does suggest that we might need some standardization and even regulation around data breach reporting. Sadly, this is a somewhat Utopian goal that, as things stand, is unlikely to be achieved anytime soon. That's why, when you're faced with breach notices such as the one we described above, you have little other choices than to carefully consider the information you're given and act accordingly. Now, go and change your Boost Mobile PIN code if you haven't already.