UScellular, the fourth largest mobile operator in the USA, has admitted its billing system was compromised by hackers, reported Bleeping Computer last week. 405 customers received letters that explained how the privacy breach affected them. Some accounts were ported to other networks as a result of the hackers misusing the customer data they obtained.
New Hampshire law required UScellular to notify the state’s Attorney General of the data breach because it had affected five residents of that state, and UScellular complied with this obligation through a letter dated December 23. The confusing wording of the letter said they had detected illegal access to customer accounts by unauthorized individuals on December 13, but also said they believe the incident occurred “on December 13-19”, begging a lot of questions about why the hackers continued to have access for six consecutive days if their activities were identified on the first day. To add to the confusion, UScellular also wrote that they ‘immediately disconnected the computer accessed by the unauthorized individuals from the internet’.
No indication was given as to how the hackers obtained access to billing records but one hint is that UScellular responded by resetting login credentials for some employees working at their retail stores. They also “requested immediate removal from the internet of the fraudulent websites” that were created by the hackers. The information obtained by the hackers included names, addresses, PIN codes, phone numbers, usage and bills. More sensitive data, including credit card details, remained masked.
As a whole, the US has relatively weak privacy and data protection laws but the patchwork state-by-state approach means some Americans are protected more than others. The good news for consumers is that businesses which serve customers nationwide are being driven to raise their security game to satisfy the expectations of the most demanding states. New Hampshire has emerged as a leader in the domain of online privacy, imposing tougher obligations than other states. If none of the customers whose accounts had been compromised were based in New Hampshire then it is possible this data breach would never have reached any news desk.
I have written before about the need for telcos to mitigate the risks of spearphishing tactics where hackers gain access to sensitive systems by targeting specific employees. Large numbers of low-paid retail and customer service staff can obtain information from the CRM systems of comms providers, and only a few weeks ago Cox Communications admitted they suffered a privacy breach because somebody successfully impersonated one of their agents. Training staff can help to reduce the number of mistakes they make but will never lead to airtight security because hackers only need to find one weak link in a chain involving hundreds or thousands of people. So many businesses place heavy reliance on the integrity of phone services that comms providers must start adopting more sophisticated ways of proactively defending customers, such as using independent channels to verify that every porting request comes from the actual user.