[BreachExchange] USCellular hit by a data breach after hackers access CRM software

Mon Feb 1 10:24:56 EST 2021

https://www.bleepingcomputer.com/news/security/uscellular-hit-by-a-data-breach-after-hackers-access-crm-software/

Mobile network operator USCellular suffered a data breach after
hackers gained access to its CRM and viewed customers' accounts.

In a data breach notification filed with the Vermont attorney
general's office, USCellular states that retail store's employees were
scammed into downloading software onto a computer.

This software allowed an attacker to access the computer remotely, and
as the employee was logged into the customer relationship management
(CRM), they gained access to that as well.

"On January 6, 2021, we detected a data security incident in which
unauth0rized individuals may have gained access to your wireless
customer account and wireless phne number. A few employees in retail
stores were successfully scammed by unauthorized individuals and
downloaded software onto a store computer."

"Since the employee was already logged into the customer retail
management ("CRM") system, the downloaded software allowed the
unauthorized individual to remotely access the store computer and
enter the CRM system under the employee's credentials," states the
USCellular data breach notification.

USCellular believes the attack occurred on January 4th, 2021.

It is not clear from the notification how many customers were affected
and whether the employees were scammed via a phishing email or another
method.

While viewing a customers' account in the CRM, the threat actor would
have been able to see their name, address, PIN, cell phone numbers,
service plan, and billing/usage statements.

"As indicated above, your customer account was impacted in this
incident. Information your customer account includes your name,
address, PIN c0de, and cellular telephone numbers(s) as well as
information about your wireless services including your service plan,
usage and billing statements known as Customer Proprietary Network
Information ("CPNI")," the data breach notification continues.

USCelluar states that customers' social security numbers and credit
card information were not accessible as they are masked in the CRM.

In a now deleted data breach notification [archived copy] posted to
USCellular's site, the mobile carrier also stated that the attackers
were able to port numbers for affected customers to another carrier.

"After accessing your account, a wireless number on your account was
ported to another carrier by the unauthorized individuals." -
USCellular

After porting the numbers, threat actors could have used it in
additional attacks, such as phishing, to gain access to 2-factor
authentication codes sent via text message.

After learning of the attack, USCellular isolated the infected
computer and reset the employee's passwords.

The company also reset impacted customers' and authorized contact's
PIN and security questions/answers, which can be set up again by
contacting USCellular.

Affected customers should be on the lookout for targeted phishing
scams utilizing information stolen from the CRM.

BleepingComputer has contacted USCellular with questions about the
breach and how the employees were scammed but have not heard back.