Well it has finally happened to me. I have received a warning letter from my mobile phone provider stating that my account was one of a number of accounts involved in a data breach perpetrated against the company that provides my mobile phone services. This is my first letter ever, of this type warning me that my data might be in the hands of thieves.
I have written several articles addressing this subject and what companies and individuals should do to protect themselves. My letter states that I may be subject to “phishing” and “smishing” attacks and the reverse side of the letter explains what each of these are as well as other measures I should take. Examples; “Email and text message headers can be easily forged, so the posing sender may not be the real sender.” “Avoid providing or filling out forms via email because data is likely to be unsecured.” “I should realize that internet scammers can create realistic forgeries of websites.”
I wonder how many people actually turn the letter over and read the information. Data breaches have become so common that few people take the time to do more that a cursory glance at letters or information received unless unexpected charges show up.
Because I like to be thorough I did a Google search for a data breach at this company and no surprise, nothing showed up. I would be curious if this data breach involved a few hundred accounts or a few million. Because I have done business with this company for over 40 years, under one name or another, I do not think I will be switching services soon.
As I have previously wrote I do have a hard time with a company that reports a data breach and then expects the customer to shoulder that responsibility of watching out for potential attacks. A properly developed fraud monitoring system can be fine tuned to recognize patterns that are outside of the individuals previous behavior in the use of, in this case, online account management or mobile phone usage. This should be a requirement for any company that has a data breach in the first step of protecting potentially sensitive data from further compromise. Too many companies want individuals to spend their time and effort in protecting against potential threats even though the company themselves screwed up.
The line I enjoyed the most in the letter is “This letter is to advise you that we recently detected an organized and systematic attempt to obtain information on a number of customer accounts, including yours.” This was followed by “We do not believe that the perpetrators of this attack obtained access to your online account or any information contained in that account.”
Several years ago I was required to place some information on the online account in order to register something to do with my mobile phone service. This is why I find the companies statement about “recently detected” as an oxymoron, since I have not used or tried to sign onto that feature in years, any detection system the company may have had in place should have “immediately detected” that something was suspicious.
I am probably safer than most of the affected customers. Not because I have been helping companies understand and fight fraud since 1998 or that I have done a number of seminars on this subject. The main reason is, anytime I have upgraded to a new phone, 2 in over 10 years, I have immediately had the company shutdown the phones abilities to connect to the internet and receive or send text messages. I use my phone as a phone.
The same day and in a nearly identical envelop came a second letter from the mobile phone company. In this letter I was being offered a Free Android Smartphone which would make it easier for me to receive texts and faster web browsing. I know this company is large but I wonder if they should not have waited a few days to send out this promotion since they just informed me that they had been hacked and my data was probably compromised and I could be subject to unsafe texts and potentially harmful web browsing.