UScellular filed a data breach notification with the Vermont Attorney General’s office after hackers breached the company’s customer relationship management (CRM) software and accessed customer data. The breach occurred after scammers tricked company employees into downloading software, a remote access tool that allowed an attacker to access the computer remotely. Since the employees were logged into the CRM software, the attackers leveraged their access to compromise UScellular customer data.
Hackers leveraged employee CRM software access to access customer data
The fourth-largest mobile carrier in the US said on Jan 6, 2021, it detected a security incident in which unauthorized individuals gained access to any affected customer’s account information and mobile phone number. The company believed that the breach occurred on Jan 4, 2021.
UScellular attributed the incident to a “few employees in retail stores” that were tricked into downloading the malicious remote access software.
“Since the employee was already logged into the customer retail management (“CRM”) system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee’s credentials,” the data breach notification stated.
The now archived copy added that hackers ported customers’ mobile numbers to another carrier.
Doing so would allow the attackers to receive SMS-based two-factor authentication (2FA) codes without triggering suspicion from the destination network, which was likely, unaware of the breach at that moment.
The Chicago Illinois-based mobile carrier, however, claimed that only a “small number” of customers were affected by the hack.
What customer data was leaked in the UScellular CRM software breach?
The attackers accessed each affected customer’s name, address, PIN code, and cellular telephone number(s). Customer data, including service and billing plan and usage, also known as Customer Proprietary Network Information (CPNI) was also accessed from the company’s CRM software using employee’s login credentials.
However, UScellular clarified that sensitive customer data such as social security number (SSN) and credit card information was not accessed, because it was masked in the compromised CRM software. The company added that the attackers did not use the stolen customer data to access their online user accounts.
“While credit card information and social security numbers may not have been compromised, the amount of information that was accessed would make account takeovers by the attackers a trivial matter, even if they were unable to access the systems again directly, as it contains the information needed for customer service representatives to confirm the account on a phone call,” says Erich Kron, a security awareness advocate at KnowBe4. “Once the information is confirmed by the customer service rep, the attackers would be free to swap SIMs, or port the phone number to another device.”
US carrier isolates device, resets employee and customer accounts
UScellular said that the compromised computer was isolated and removed from the retail stores. Additionally, it reset the impacted employees’ CRM software login credentials and subscribers’ PINs and security questions to prevent further compromise.
The US carrier also involved law enforcement agencies as required by the Federal Communications Commission (FCC) and state authorities.
Additionally, UScellular provided new or temporary mobile telephone numbers to users whose numbers were ported to a different network.
UScellular subscribers warned of potential risks
Eric Jagher, Senior Vice President, Retail Sales and Operations at UScellular advised the affected customers to change their login credentials on other online accounts reusing the affected mobile numbers and passwords. They should also remain vigilant for potential phishing scams originating from the breach.
“Nevertheless, we advised these customers to be diligent about monitoring and reviewing their online accounts and financial statements for unauthorized access and transactions,” the update continued.
UScellular joins other major mobile service providers breached by suspected fraudsters within the past few months.
T-Mobile disclosed a similar breach in Dec 2020, affecting 200,000 subscribers. The hack originated from illegal access to employee emails allowing the attackers to access customer data. Last year’s attack was the third in a row after the Nov 2019 and Aug 2018 intrusions.
It seems that internal employees were increasingly becoming the weakest link in efforts to protect customer data.
“People being socially engineered into downloading Trojan Horse programs has been one of the most common hacking methods for over three decades,” Roger Grimes, a data-driven defense evangelist at KnowBe4 said. “And it takes the best combination of policies, technical defenses, and education an organization can muster to mitigate. We know for sure that policies and technical defenses, by themselves, are not enough.”
He added that employees must receive training to spot social engineering attacks and mitigation efforts in such circumstances.
“Sadly, although social engineering and phishing is responsible for 70% to 90% of all malicious digital breaches, most companies spend less than 5% of their IT cybersecurity resources to fight,” Grimes lamented. “This fundamental misalignment is why social engineering continues to be such a successful method for hackers.”