Beginning around 9 p.m. on May 14, individuals and organizations with Cellcom telecommunications started noticing telltale signs that something was wrong with phone and SMS text messaging. Texts hung up, unsent. Calls wouldn’t connect. The most recent update from the company on May 27 said “services, including both inbound and outbound calling and text messaging, are performing well for most customers following recent restoration efforts.”
While the total impact of the outage has not been quantified yet, cybersecurity professionals said this is not an isolated incident and cyber threats have been a growing concern for years.
While Cellcom does not publicly disclose an exact count of its customers, an industry comparison analysis estimates the company has 1.4 million subscribers. Besides losing voice and SMS text services, “porting” or switching an existing Cellcom phone number to another carrier was part of the system affected by the cyber incident.
On May 19, Cellcom announced texting and Cellcom-to-Cellcom phone service was working again, but some users were still reporting issues. Brighid Riordan, Cellcom CEO, released a video statement on May 20, and said the company was dealing with a “cyber incident” that caused the outage.
The company is not granting media interviews, and an online statement on May 25 said that many customers are seeing services restored but “…restoration at this scale doesn’t happen all at once, and some disruptions may still occur as systems stabilize.”
According to an email sent to customers on May 30, Cellcom is automatically compensating those who have a landline or wireless voice phone line for the value of the outage period on July bills. The company is also offering a one-time, opt-in second adjustment equal to the outage time.
Critical infrastructure
The telecommunications industry is considered critical infrastructure by the U.S. Department of Homeland Security, according to Dave Schroeder, associate director of intelligence and security initiatives at the University of Wisconsin–Madison.
Being unable to make or receive calls in an emergency is by definition critical, Schroeder said, so telecommunications providers are often a target for cyber attacks like the one Cellcom was victim to.
Nearly everyone relies on these companies for communication and there is also a high volume of personal and private information that goes through them, he said. Additionally, telecommunications companies run complex, interconnected networks, and sometimes rely on legacy infrastructure that is in need of upgrade.
In updates, Cellcom assured customers their private data remained secure. Without being privy to the company’s specific security measures, Schroeder said, “It’s always a good practice to keep things segmented as much as possible. In this case, it sounds like back end customer information and billing data is separate from the operational networks.”
The Door County government was one of the entities affected by the outage. At a May 27 county board meeting, County Administrator Ken Pabich reported that the outage certainly affected county operations and Cellcom worked with them to prioritize getting service re-established.
County leaders will discuss the situation more in-depth and explore backup plans at the next Public Safety Committee meeting, Pabich said.
Beyond emergency and government implications, businesses rely on phone service for customer inquiries and bookings, especially the week before Memorial Day in tourism-heavy Door County. Because Cellcom is a regional service provider and no national media outlets reported the story, many out-of-area visitors to Door County were not aware of the outage.
Jacob Gransee owns Island Adventure Company, an ATV, bicycle and kayak rental business on Washington Island. He said the outage has been a “big problem” going into the holiday weekend.
The outage meant Gransee’s customers could not book rentals at the last minute which account for a large portion of the company’s rental business, Gransee said. Bookings made less than 48 hours in advance are handled by phone, he said. To prevent misunderstanding, Island Adventure Company posted a message on their website about the outage.
While he does not know exactly how much business his company missed out on as a result of the outage, he is sure it is a “huge negative impact on small businesses.”
Non-business-related impacts of the outage range from minor inconveniences to potentially life-threatening situations. For instance, one Cellcom customer Knock spoke to, James Carson, said was unable to receive updates from medical appointments and doctors.
Many customers reported being unable to stay in touch with elderly relatives. Often older people rely on phone service and may be unfamiliar with Wi-Fi-enabled communication platforms like WhatsApp or Facebook Messenger.
Dynamic Family Solutions is an outpatient mental health clinic with offices in Sturgeon Bay and Green Bay. Its triage administrator, Jenna Kasten, provided a statement about how its patients and services have been affected. (Disclosure: Kasten is also a donor to Knock.)
According to the email statement, the outage had a “drastic impact” on office procedures. Though the clinic received some text messages and email from clients, it was not able to answer inquiries or schedule appointments during the outage.
Though the clinic does not receive a high volume of crisis calls, “we know that our main office number is a familiar point of contact for any of our clients who may be experiencing thoughts of self harm or suicidal ideation,” Kasten said.
Additionally call forwarding services from Cellcom were not available either, and opening a “loaner line” with a completely different phone number would be relatively pointless, Kasten said. “We have our contact information in so many provider listings online, to update all of those would be a monumental task, in addition to notifying our entire client base.”
Frustration was high amongst staff during the outage, she said, especially knowing how much busier the clinic would be trying to reach clients after service was restored.
Door County Medical Center did not respond to a request for information on how the outage may have impacted their operations.
What happened?
Besides loss of service itself and the difficulties that arose, customers have expressed frustration that Cellcom did not give the reason for the outage until almost a week had gone by. According to Cellcom’s statements, the company was working with the FBI and other authorities to deal with the issue, and for legal reasons they could not disclose more detailed information.
Professor Joshua Yue is the chair of UW-Platteville’s Department of Computer Science and Software Engineering. UW-Platteville was one of the first institutions in Wisconsin to offer a cybersecurity degree program. Neither Yue nor Schroeder at UW-Madison are working with Cellcom directly, but based on their expertise in the cybersecurity field, they offered some insight into what likely occurred.
“Most major cyber incidents follow a pattern,” Yue said. First, cyber criminals will attempt to identify weak spots in a company’s system and try to gain access by phishing or exploiting unpatched systems.
Phishing is a form of social engineering, referring to the practice of pretending to be from a legitimate agency or company in order to get someone to reveal personal or confidential information. The phisher can operate via phone calls, emails or other online contact.
Unpatched systems are operating systems or programs that have vulnerabilities or flaws that leave them open to infiltration. Fixes to those flaws are called patches.
Whether taking advantage of a network’s weaknesses, tricking an employee or gaining access through a third party, Schroeder said after the attacker has gained access, one of the most common kinds of attacks are “ransomware” attacks. They cause harm or impact a company’s basic operations and seek ransom in order for the company to continue operating.
Other forms of cyber attacks include when third-party software is targeted and compromised, causing supply chain disruption, Yue said, and “distributed denial-of-service” attacks are a growing concern. “Distributed” refers to the specific way hackers flood systems with traffic to take them offline.
Other regional companies have been the target of cyber incidents in recent years. In October 2023, Bellin Health reported a breach by an unauthorized party who accessed some documents containing individuals’ personal information.
Whether cyber criminals are attempting to gain access to personal information for purposes of fraud and identity theft, “hacktivism” or making a political statement, espionage, or holding business operations for ransom, cyber crime has increased significantly since the early 2000’s, due to advancing technology and opportunity.
It is not a threat that is going away, Schroeder said, and often other nation-states or internationally-based criminal organizations are the ones perpetrating the crimes.
According to the FBI’s most recent annual Internet Crime Report, published in April this year, there has been a 33 percent increase in financial losses due to cyber crime from 2023 to 2024.
‘Uses your humanity against you’
Blaming the victims of cybercrime is all too common, according to Gerald Eastman, president and founder of the Wisconsin Cyber Threat Response Alliance. WICTRA is a nonprofit that provides education, training and resources to help individuals and organizations prevent and manage cyber attacks.
The reality is that people committing these crimes are very good at what they do, and social engineering is very effective, Eastman said. “They operate like a business.”
Social engineering “uses your humanity against you,” he said. It manipulates people’s sense of helpfulness, trust, love, responsibility, fear, greed or laziness. Once the connection is established, which is the social engineering part of the equation, it opens the door to cyber attacks. 98 percent of cyber attacks involve some form of social engineering, according to WICTRA and other cybersecurity organizations.
For companies, their customer service staff are often targets of social engineering.
“What is their whole job? What are they trained to do? Help people.” Eastman said.
Often cyber criminals will call a customer service line and pretend they are having a problem, he said, and they have done some research to find out some personal details of an actual customer. The employee may then reveal sensitive information in their attempt to help the “customer” with their problem, he added.
Large companies like Cellcom usually have cybersecurity training and plans in place to respond to breaches. The Cellcom CEO confirmed this in her message to customers: “We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans.”
To stay or go
Whether Cellcom’s customer base will think that is enough remains to be seen. Social media comments by Cellcom customers about the outage range from those who are “jumping ship” and switching to another provider and those who said they will stick with the company.
One notable show of support for Cellcom was from the Washington Island Electric Cooperative. In a letter to Cooperative customers, Manager Robert Cornell encouraged users to stay with Cellcom, citing NSight’s — Cellcom’s parent company — support of broadband infrastructure development on the island and the capacity for any service provider to have problems:
“Every provider will have issues, whether it is weather/nature related (like ours), equipment related (like ours), or bad actor related. You are fooling yourself if you think otherwise. We are all vulnerable and can only do so much to protect ourselves from bad actors with nothing better to do than try and exploit and find such vulnerabilities….these hackers deserve scorn and maximum punishment when caught.”
If cyber attacks can take down a big company like Cellcom, with protocols and safeguards in place, Eastman said, small “mom and pop” businesses are even more vulnerable because they usually do not have a staff or budgeted funds dedicated to cybersecurity, nor do they usually have plans in place in case of a cyber incident or attack.
According to a widely-publicized 2022 report, small businesses, defined as having under 100 employees, are subject to 350 percent more social engineering attacks than larger enterprises. The impact can be devastating, both financially and to the company’s reputation.
That is where WICTRA and other organizations like ReadyWisconsin, a Wisconsin Emergency Response-managed public safety campaign for emergencies, including cyber attacks, can help.
They provide resources and support for individuals and organizations after a cyber attack has taken place, but more importantly, according to Eastman, they provide guidance on how to prevent something like that from happening in the first place.
Preparedness
In a situation like the Cellcom outage where customers lost voice and text services, they can send texts or use alternate messaging services like Signal or WhatsApp, or use services that worked over an internet connection, like email, according to Schroeder.
Apart from that, there is not much to be done in a purely reactive way, especially if there is no ability to port one’s phone number to another provider, Eastman said.
Cybersecurity experts advised individuals and organizations to, at the very minimum, have an emergency preparedness plan in place for cyber incidents and outages.
Having backup communication tools in place, training staff on basic cybersecurity practices, considering cyber insurance, which will cover some losses, and asking vendors about their own practices should all be part of a business’s cyber response plan, according to Yue at UW-Platteville.
“Different businesses will have different needs, but it is best to talk through what you’d do in the event you lose access to the things you need to run your business. You can even just have a meeting once every few months to talk through your plans,” Schroeder said. “Having a plan in advance can make a difficult situation easier to get through, whether it is a tornado or a cyberattack.”