Last week, Chicago-based telecommunications provider UScellular began warning subscribers that it was possible to hack their personal details and port their phone numbers as a result of a cybersecurity leak.
UScellular is one of the United States’ biggest telecommunications providers, boasting to have almost 5 million subscribers across 20 states. It’s unknown, though, how many were hit by the data leak.
On January 6, 2021, the carrier said it found the violation, and its analysis so far indicates that two days ago, the attackers first obtained access to its devices. The hackers used an unknown tool to trick malicious malware into being downloaded by UScellular workers operating in retail stores.
This malware then allowed the intruder to remotely access infected store machines and the system running on them for consumer retail management (CRM). The attackers were able to enter the CRM using the employee keys and access wireless client accounts and phone numbers because employees were already logging into the CRM system.
“A wireless number on your account was ported to another carrier by unauthorised individuals after accessing your account,” the firm told consumers in a data breach alert posted to its website.
UScellular said attackers could have access to names, emails, PIN codes, telephone numbers, and wireless service records, use, and billing statements (CPNI). In the CRM, social security numbers and credit card data are entered, but they are “masked” because they have probably not been revealed.
“We have no indication at this time that unauthorised access to your UScellular online user account (My Account) has been available,” consumers were advised.
In response to the incident, UScellular removed infected machines from stores, changed compromised employee passwords, and modified the customers and their authorised contacts’ PIN and security question/answer. Also, law enforcement was told.
We have collaborated with those who had a number ported to provide a new provisional number when trying to recover the number ported fraudulently to provide a new number at the option of the client. When a number is ported, unauthorised persons do not gain access to information such as contacts or software contained on the mobile device of the client, the firm said. “Nevertheless, we advised these clients to monitor and review their online accounts and financial statements diligently for unauthorised access and transactions and recommend changing online account usernames and passwords.”
It is uncertain why the attackers brought phone numbers, but in some situations it can be extremely useful for cybercriminals to take possession of someone’s phone number, particularly if they try to access an account secured by SMS-based two-factor authentication (2FA). If they have the username and password of the targeted user, getting possession of their phone number makes sure that as they attempt to log in, the 2FA code is delivered to them.