Chicago-based wireless carrier UScellular started informing customers last week that their personal information may have been accessed and their phone numbers ported as a result of a data breach.
UScellular is one of the largest wireless carriers in the United States — it claims to have nearly 5 million customers across 20 states. However, it’s unclear how many were affected by the data breach. SecurityWeek has reached out to the company for more information.
The carrier said it detected the breach on January 6, 2021, and its investigation so far suggests that the attackers first gained access to its systems two days earlier. The hackers used an undisclosed method to trick UScellular employees working in retail stores into downloading malicious software.
This malware then allowed the attacker to remotely access compromised store computers and the customer retail management (CRM) system running on them. Since employees were already logged into the CRM system, the attackers were able to access the CRM with the employee credentials and access wireless customer accounts and phone numbers.
“After accessing your account, a wireless number on your account was ported to another carrier by the unauthorized individuals,” the company told customers in a data breach notice posted on its website.
UScellular said the attackers may have gained access to names, addresses, PIN codes, phone numbers, and information on wireless services, usage, and billing statements (CPNI). Social security numbers and payment card information are entered into the CRM, but they are “masked” so they likely haven’t been exposed.
“At this time, we have no indication that there has been unauthorized access to your UScellular online user account (My Account),” customers were told.
In response to the incident, UScellular has removed infected computers from stores, changed compromised employee credentials, and modified the PIN and security question/answer of customers and their authorized contacts. Law enforcement has also been notified.
“We also have worked with those who had a number ported to provide a new temporary number while working to retrieve the fraudulently ported number or provide a new number at the customer’s choice. When a number is ported, the unauthorized individuals do not obtain access to information contained on the customer’s mobile device such as contacts or applications,” the company said. “Nevertheless, we advised these customers to be diligent about monitoring and reviewing their online accounts and financial statements for unauthorized access and transactions and recommend changing the usernames and passwords of online accounts.”
It’s unclear why the attackers ported phone numbers, but taking control of someone’s phone number can be highly useful to cybercriminals in some cases, particularly if they want to access an account protected with SMS-based two-factor authentication (2FA). If they have the targeted user’s username and password, having control of their phone number ensures that the 2FA code is sent to them when they try to log in.