UScellular breach: new details revealed

UScellular has revealed new details about the January data breach Cybernews first reported on that resulted in thousands of customers' personal data being offered up for free on the dark web.

The company posted a "Notice of Data Breach" on its website March 8.

According to UScellular, it became aware of the “data security incident” on January 18, 2023.

“Between January 1, 2023 and January 8, 2023 [...] unauthorized individuals may have illegally gained accessed to a former third-party vendor’s system,” the company announced.

“This incident was caused by a misconfigured server at the vendor that allowed the individuals to view certain outdated information on 52,000 wireless customer accounts,” UScellular said.

The fourth largest US wireless carrier said its relationship with the third-party vendor ended several years ago.

UScellular had confirmed the breach to Cybernews the first week of February, after our research team noticed a sample of the stolen information posted by a reputable hacker on the popular leak site BreachForums, sometimes also referred to as Breached.

Ironically, Breached was shut down last week after the FBI arrested its 20-year old administrator in New York after a year long investigation.

The known hacker had originally posted the data as a free download link February 3, claiming the breach was from January 2023 involving 144K customers.

Although the numbers turned out to be significantly less, customer data was still exposed for over a month before UScellular officially announced the breach on its website.

UScellular breach notice

In February, UScellular spokesperson Katie Frey told Cybernews that the January incident was unrelated to another UScellular customer breach that occurred in December 2021.

UScellular said the personal data stolen included customer names and telephone numbers, as well as information about their wireless services, otherwise known as Customer Proprietary Network Information (CPNI).

As we reported in February, the CPNI discovered by our research team included other sensitive information such as the customer subscriber ID, subscriber and account keys, full name and business name, account activation date, current cellular plan and price, device manufacturer and model, current balance, and whether the user is enrolled in autopay and/or has an insurance policy on their device.

Interestingly, the UScellular breach notice only mentions service plans, device types, and single monthly amount owed on the bill.

USCellular did confirm “the data impacted did not include sensitive personal information, such as Social Security number or credit card information.”

As we also mentioned in February, although the company states that the customer information posted on the Breached site was out-of-date, there is no proof that those customers are not still active with UScellular – and therefore could be further compromised.

The company said it took “immediate measures to prevent this type of incident in the future,” but did not specify what exactly those measures are.

The still unnamed third party vendor “is currently working with law enforcement to identify the responsible party and all information has been removed from internet connectivity,” they said.

UScellular said it reported the incident to law enforcement in accordance with FCC requirements.

UScellular is urging customers to remain vigilant against phishing schemes and recommend changing your password and creating a strong pin for the account.

Customers who would like to change their pin and/or security questions and answers need to contact UScellular directly.

“We apologize for this incident and any inconvenience it may have caused. Your confidence in our ability to safeguard your personal information and your peace of mind are very important to us,” UScellular said.