Chicago-based wireless carrier UScellular started informing customers last week that their personal information may have been accessed and their phone numbers ported as a result of a cybersecurity breach.
UScellular is one of the largest wireless carriers in the United States — it claims to have nearly 5 million customers across 20 states. However, it’s unclear how many were affected by the data breach. SecurityWeek has reached out to the company for more information.
The carrier said it detected the breach on January 6, 2021, and its investigation so far suggests that the attackers first gained access to its systems two days earlier. The hackers used an undisclosed method to trick UScellular employees working in retail stores into downloading malicious software.
This malware then allowed the attacker to remotely access compromised store computers and the customer retail management (CRM) system running on them. Since employees were already logged into the CRM system, the attackers were able to access the CRM with the employee credentials and access wireless customer accounts and phone numbers.
“After accessing your account, a wireless number on your account was ported to another carrier by the unauthorized individuals,” the company told customers in a data breach notice posted on its website.
UScellular said the attackers may have gained access to names, addresses, PIN codes, phone numbers, and information on wireless services, usage, and billing statements (CPNI). Social security numbers and payment card information are entered into the CRM, but they are “masked” so they likely haven’t been exposed.
“At this time, we have no indication that there has been unauthorized access to your UScellular online user account (My Account),” customers were told.
In response to the incident, UScellular has removed infected computers from stores, changed compromised employee credentials, and modified the PIN and security question/answer of customers and their authorized contacts. Law enforcement has also been notified.
“We also have worked with those who had a number ported to provide a new temporary number while working to retrieve the fraudulently ported number or provide a new number at the customer’s choice. When a number is ported, the unauthorized individuals do not obtain access to information contained on the customer’s mobile device such as contacts or applications,” the company said. “Nevertheless, we advised these customers to be diligent about monitoring and reviewing their online accounts and financial statements for unauthorized access and transactions and recommend changing the usernames and passwords of online accounts.”
It’s unclear why the attackers ported phone numbers, but taking control of someone’s phone number can be highly useful to cybercriminals in some cases, particularly if they want to access an account protected with SMS-based two-factor authentication (2FA). If they have the targeted user’s username and password, having control of their phone number ensures that the 2FA code is sent to them when they try to log in.
UPDATE: UScellular told SecurityWeek that only a “small number” of customer accounts were impacted by the incident. The company provided the following statement.
We recently detected a security incident in which there was unauthorized access to a small number of our customer accounts. This incident involved social engineering by sophisticated fraudsters to gain access to our systems. We immediately took action to protect our customers’ information and to prevent future access. Any sensitive personal information in the accounts is not viewable or accessible in the system, and all affected customers have been notified. We take data security and privacy very seriously, and we have systems and processes in place to prevent, detect and respond to continuously evolving threats.
Related: T-Mobile Notifying Customers of Data Breach
Related: Digital Banking Service Dave Says Data Stolen in Third-Party Breach
Related: Industry Reactions to Nation-State Hacking of Global Telcos