AT&T has been notifying some wireless customers of an incident involving an unnamed vendor.
In a notice sent to a customer who shared it with DataBreaches, AT&T wrote:
AT&T’s commitment to customer privacy and data security is a top priority. We recently determined that an unauthorized person breached a vendor’s system and gained access to your “Customer Proprietary Network Information” (CPNI). In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed. However, please rest assured that no sensitive personal or financial information such as Social Security number or credit card information was accessed.
To address this issue, the following steps have been taken:
- We confirmed with the vendor that the vulnerability has been fixed.
- We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.
If you have an existing account with AT&T, you may want to consider adding our “extra security” password protection to the account at no cost. You can learn more at https://www.att.com/support/article/my-account/KM1051397/
Please accept our apology for this incident. If you have further questions, you may visit: https://att.com/data-event/login You will be prompted for your myAT&T login credentials, and if you do not have a myAT&T profile, you can create one using your account information.
AT&T did not reveal the vendor’s identity other than to say it was a marketing vendor and the incident occurred in January.
On their site with additional information on the incident, AT&T states that the exposed information included customer’s first name, wireless account number, wireless phone number and email address.
“It also included the number of lines on the account and basic device (e.g., iPhone 7) and installment agreement information that was used to help indicate device upgrade eligibility. A small percentage of impacted customers also had exposure or rate plan name, past due amount, monthly payment amount, various monthly charges and/or minutes used.”
Of note, they indicate that the customer information was several years old, and “No credit card information, SSN, date of birth, account passwords or specific device IDs (e.g., IMEI or SIM) were involved.”
DataBreaches sent an inquiry to AT&T asking how many customers were notified of this incident. No reply was immediately provided.
Update of March 10: BleepingComputer reports that approximately 9 million wireless accounts were accessed. AT&T did not reply to the inquiry sent on March 9.