The Bleeping Computer reported on January 28 that UScellular suffered a major data breach after hackers accessed its CRM software system.
Who is UScellular?
UScellular is an American mobile network operator. They are based out of Chicago, Illinois, and are the fourth largest wireless network in the country. They have roughly 4.9 million customers across 23 states.
U.S. Cellular was founded in 1983 as a subsidiary of Telephone and Data Systems Inc., which still owns 84% of the company. On September 24, 2020, they rebranded their name as UScellular and changed their logo.
In a report filed with the Vermont Attorney General’s office, the attack occurred on January 4. According to the details, the hackers targeted employees who had access to its customer CRM software and tricked them into downloading software. Only a handful of employees were scammed, but it was enough for hackers to install malware and gain access to customer information.
These types of incidents often involve scams using the ruse of IT or customer service professionals providing assistance. The employees believe they are legitimate and therefore follow the instructions provided. The report filed with the Vermont Attorney General does not specify how the attack was carried out, just that it occurred.
Although the attack was spotted on January 6, only two days, attackers had plenty of time to exfiltrate customer data.
The data breach included customers’ names, addresses, cell phone numbers, details of their wireless plan, and PINs used to access their account. Hackers may also have had access to billing information. Unfortunately, hackers used some of this information to port these customer phone numbers to other carriers for their own personal use.
Once hackers gained full access to the stolen mobile number, they could essentially use it to spoof two-factor authentication and breach other online accounts. Alarmingly for the customers, this could also allow hackers to breach customer photos, SMS messages, and other sensitive and private data.
How Did UScellular Respond?
Upon learning about the incident, UScellular took quick action and secured the infection. They also immediately changed all PINS, security questions, and answers, along with passwords for account access, for those customers affected. UScellular also alerted all affected customers and informed them about taking additional security precautions.
UScellular commented in their data breach notification that “On January 6, 2021, we detected a data security incident in which unauthorized individuals may have gained access to your wireless customer account and wireless phone number. A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded the software onto a store computer.
Since the employee was already logged into the customer retail management (“CRM”) system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee’s credentials.”
They further explained what the data breach covers with “As indicated above, your customer account was impacted in this incident. Information about your customer account includes your name, address, PIN code, and cellular telephone numbers(s) as well as information about your wireless services, including your service plan, usage, and billing statements known as Customer Proprietary Network Information (“CPNI”).”
They did reassure the public and customers that no social security numbers or credit card details were accessed.
Safety Precautions for Affected Customers
Customers involved in the data breach should be extra watchful for any scams, blackmail schemes, and other types of fraud. They should also:
- Change passwords for all their current accounts that have two-factor authentication associated with them.
- Verify that their phone number was not stolen or ported to another service carrier.
- Keep a close eye and monitor banks and credit card accounts.
- Watch for phishing emails, scam calls, and anything related to UScelllar.