USCellular, the fourth-largest wireless carrier in the United States, disclosed a security incident, which resulted in unauthorized access to its customers' accounts.
In a data breach notification the company explained that the breach occurred after its retail store's employees were scammed into downloading software onto a computer, which allowed the attackers to gain access to customer’s accounts and phone numbers.
“On January 6, 2021, we detected a data security incident in which unauth0rized individuals may have gained access to your wireless customer account and wireless phone number. A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer,” the company said. “Since the employee was already logged into the customer retail management ("CRM") system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee's credentials.”
The company said that having access to a customers' account in the CRM, the threat actor would have been able to see their name, address, PIN, cell phone numbers, service plan, and billing/usage statements. According to USCellular, the attacker would not have been able to see personal customers’ information, such as Social security Number or credit card data, as they are masked within CRM.
The company also reset affected customers' and authorized contact's PIN and security questions/answers.
The mobile operator believes that the incident took place on January 4, 2021. USCellular did not disclose how many customers were impacted, what malicious software was downloaded, or how exactly the employees were tricked into downloading the malware.