UScellular Data Breach Highlights Importance of Employee Security Training

UScellular issued a release on January 21 that customer accounts were impacted by a data breach, potentially exposing names, addresses, PIN codes, and phone numbers. UScellular does not believe that more sensitive information, such as social security numbers or credit cards, were impacted.

UScellular is the fourth largest wireless carrier in the United States, with nearly 5 million customers. How was such an attack able to occur?

“A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer,” states the notice UScellular filed with the state of Vermont. “Since the employee was already logged in to the customer retail management (CRM) system, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM under the employee’s credentials.”

The situation underscores that no matter how many security protocols a business has in place, the human element cannot be overlooked.

“The cyber industry has been espousing the need for consistent and comprehensive security awareness training,” said Brandon Hoffman, Chief Information Security Officer at Netenrich, in an article for Security Magazine. “Many of us wonder whether it is the training programs that aren’t working, or if they are not implemented correctly, or if simply there is no real interest from the regulars users to pay close enough attention.”

As a result of the attack, UScellular isolated the impacted computer and reset employee passwords. The company also encouraged all users to establish a new PIN and security question/answer. However, the release did not address staff education.

“Unfortunately, we are seeing this threat continue to grow with 63% of U.S. companies seeing an increase in phishing and social engineering during the pandemic and 53% noting a jump in credential theft,” said Craig Lurey, CTO and Co-Founder of cybersecurity and password management provider Keeper Security. “Cybercriminals are becoming more sophisticated with their attacks - and will continue to be quick to exploit vulnerabilities as each endpoint creates an access point to attack, so properly training employees is necessary to avoid falling victim to a situation like this in the future.”

In a Forbes article on The Human Element of Cybersecurity, Tim Conkle presents laziness and fallibility as the two biggest threat actors. Laziness, he says, often stems from a lack of communication about what policies exist and why they are important. Fallibility addresses that no policy – or person – is perfect 100% of the time.

“The only way to close the human gap is to create a process both on the technological side and the human side,” said Conkle. “Combine the two in order to strengthen the technological side and reduce potential for abuse, and strengthen the human side to stop what makes it through.”

Conkle uses the example of building security. You can put into place the latest level security smart card at the front door, but how do you prevent someone from holding the door open for the next person to enter?

“To close the human gap, you have to remember that people are going to be human,” said Conkle. “Give your users the chance to have a process that not only works with them but, most importantly, for them.”

Want to learn about cybersecurity? Capitol Tech offers bachelor’s, master’s and doctorate degrees in cyber and information security. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.