UScellular: Hackers Accessed Customer DataCustomer Relationship Management System Compromised
Wireless carrier UScellular is investigating an incident involving hackers tricking employees into downloading malicious software that compromised the company's customer relationship management platform.
The breach, which took place on Jan. 4, may have exposed customer data, including names, physical addresses, PINs, cellular telephone numbers as well as information related to billing statements and usage plans, according to the company’s breach notification filed with the Vermont Attorney General's Office.
Other sensitive information, such as Social Security and credit card numbers, are masked within the company's CRM system and were not exposed during the breach, the company says.
The notification did not indicate how many customers may have been affected by this incident. UScellular, the fourth largest carrier in the U.S., has about 5 million customers in 21 states, according to company filings with the U.S. Securities and Exchange Commission.
USCellular says it has “no indication” of unauthorized access to online user accounts. It’s resetting affected customers' PINs and security questions. And it’s warning its users to beware of fraudsters using the exposed data for phishing campaigns and other scams.
A company spokesperson tells Information Security Media Group that the breach affected "a small number of our customer accounts."
UScellular says it first became aware of the security incident on Jan. 6, two days after hackers appear to have gained access to the CRM platform and customer data.
Hackers contacted employees at some of the company’s retail stores and tricked them into downloading malicious software onto company-owned devices that the employees used.
"Since the [targeted employees] were already logged into the customer retail management system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee's credentials," the UScellular notification says.
UScellular notes that it has reset employee credentials at those retail stores targeted by the hackers.
James McQuiggan, a security awareness advocate at security firm KnowBe4, says that the UScellular employees appear to have been the victim of voice phishing or vishing.
"Organizations must train and make their employees aware of vishing and phishing social engineering scams and the need to verify callers from within the organization requesting actions be taken with the systems to reduce the risk of a data breach and damage to their reputation and bottom line," McQuiggan says.
The hackers likely gleaned information about the employees from social media accounts, such as LinkedIn, and then used that data as part of a socially engineered scam, he says.
"With the right information collected from various social media accounts, a cybercriminal could convince someone they're from the IT department and ask them to update their systems and visit a website to obtain the software," McQuiggan says. "It's crucial that employees verify who they are speaking with and verify the employee works at the organization."
Earlier this month, the FBI issued a notification warning about increases in vishing as a way to collect credentials or launch socially engineered attacks (see: FBI Warns of Increase in Vishing Attacks).
Another Carrier Targeted
In December 2020, carrier T-Mobile acknowledged that some of its customers may have had their mobile phone account information exposed during a data breach (see: T-Mobile Alerts Customers to New Breach).
T-Mobile spokesperson said that about 200,000 of its mobile customers were affected by the incident.
Editor's Note: This article was updated to include comments from a UScellular spokesperson.