Cybercriminals reportedly tricked employees at a U.S. Cellular store to download malware which led to the exposure of customer information.
According to BleepingComputer, U.S. Cellular has filed notification with the Vermont state attorney general’s office that software downloaded to an in-store computer at one of its brick-and-mortar locations enabled unauthorized access to both that computer and U.S. Cellular’s CRM database.
As a result of the breach, believed to have occurred Monday, Jan. 4, the threat actors were able to view customer data including name, address, PIN, cell phone number(s), service plan, and billing/usage statements. Customer credit card and Social Security numbers were reportedly encrypted and could not be viewed by the hackers.
In a data breach notification, U.S. Cellular informed affected customers of the incident and of what personal information may have been exposed. USCellular has also reportedly isolated the computer used in the attack, reset the passwords of the employee who enabled the breach, and reset security settings for affected customer accounts. The company did not respond to BleepingComputer inquiries about the attack.
“This is another example of social engineering and its impacts on organizations,” Erich Kron, security awareness advocate at security training company KnowBe4, said in a statement to Chain Store Age. “When it comes to cellular service providers, access to their systems and information can be very useful to attackers, especially with respect to SIM-swapping attacks. By changing the SIM information on an account, these attacks can be used to bypass multi-factor authentication and have been used commonly to intercept the security codes sent via text message. These codes are often used to secure banking, cryptocurrency, another high value accounts.”