UScellular, the fourth-largest wireless carrier in the U.S. with 4.9 million customers, has been hacked.
According to a Bleeping Computer report, UScellular filed a breach data notification with the Vermont attorney general's office, noting that that retail store's employees were scammed into downloading software onto a computer. The software allowed an attacker to access the computer remotely. When the employee logged into the customer relationship management (CRM), the hackers gained access to these records.
"On January 6, 2021, we detected a data security incident in which unauth0rized individuals may have gained access to your wireless customer account and wireless phone number. A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer. Since the employee was already logged into the customer retail management ("CRM") system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee's credentials," USCellular said in its data breach notification.
Brandon Hoffman, Chief Information Security Officer at Netenrich, says, "This and other recent breaches continue to highlight that people remain the key to both sides of the cyber equation. They can serve as our greatest deterrent or our enemy’s best weapon. The cyber industry has been espousing the need for consistent and comprehensive security awareness training. Many of us wonder whether it is the training programs that aren’t working, or if they are not implemented correctly, or if simply there is no real interest from the regulars users to pay close enough attention."
Jennifer Geisler, CMO at Vectra, notes, “This is another proof point that reminds us that no organization is immune to breaches. While prevention is required, it is not infallible. Organizations need security that sees attacks and stops them from becoming breaches.”
Craig Lurey, CTO and Co-Founder of cybersecurity and password management provider Keeper Security, says, "U.S. Cellular holds some very valuable personally identifiable information (PII), which creates an attractive target for cybercriminals. What’s more, is that it is unlikely the attack stops with this data breach - there is a potential for additional targeted attacks, like SMS takeover for 2FA attacks and credential stuffing, as customers' credentials have now been obtained from this breach. Because of this, U.S.Cellular customers should be sure to increase their personal cybersecurity protection by enabling 2FA. Unfortunately, we are seeing this threat continue to grow with 63% of U.S. companies seeing an increase in phishing and social engineering during the pandemic and 53% noting a jump in credential theft. Cybercriminals are becoming more sophisticated with their attacks - and will continue to be quick to exploit vulnerabilities as each endpoint creates an access point to attack, so properly training employees is necessary to avoid falling victim to a situation like this in the future.”