United States Cellular Corp., the country’s fourth-largest wireless carrier, has been hacked with customer information stolen.

The hack came to light through a Jan. 21 disclosure to the Office of the Vermont Attorney General that said a “data security incident” was detected Jan. 6.

A letter to customers states that a “few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer.” Having gained access, those behind the attack then remotely accessed UScellular’s customer relationship management system using the employee’s credentials.

Details believed to have been stolen included customer names, addresses, PIN codes, cellphone numbers, service plans, usage details and billing statements. The company noted that sensitive information such as Social Security numbers and credit card information were masked in the CRM system.

UScellular said it had identified and removed affected computers, reset employee credentials, changed the PIN on affected accounts and also changed the security question and answer. Law enforcement and the U.S. Federal Communications Commission have been contacted along with certain state agencies.

Exactly how the attack took place and how many customer records were stolen were not detailed. Given that it targeted employees in retail store locations, the attack could have occurred in-store or perhaps by an external party tricking employees to give them access by pretending to provide information technology department support.

“People being socially engineered into downloading Trojan Horse programs has been one of the most common hacking methods for over three decades,” Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “And it takes the best combination of policies, technical defenses and education an organization can muster to mitigate. ”

That’s why policies and technical defenses aren’t enough by themselves, he said. “Something will slip by every week or two to every employee, and because of this, employees must be trained how to spot social engineering attacks and what to do, which is report and then delete,” he said.

Erich Kron, security awareness advocate at KnowBe4 noted that access to cellular service providers’ systems and information can be very useful to attackers, especially with respect to so-called SIM swapping attacks. “By changing the SIM information on an account, these attacks can be used to bypass multifactor authentication and have been used commonly to intercept the security codes sent via text message,” he said. “These codes are often used to secure banking, cryptocurrency and other high-value accounts.”

Image: USCellular