AT&T has confirmed a security data breach in which attackers have compromised the security of a number of its mobile customers and stolen personal information including Social Security numbers and call records.
Back in April this year, AT&T suffered a data breach in which some of its customer information, including birth dates and Social Security numbers had been inappropriately accessed by three employees of one of its third-party vendors, in order to generate codes that could be used to unlock devices.
Moreover, the hackers would have also been able to access its users’ credit report with Customer Proprietary Network Information (CPNI) during the process without proper authorization, that means the information related to what subscribers purchase from AT&T would also have been compromised.
The Dallas-based telecommunications giant did not specify the number of customers or type of information affected by this data breach, but state law requires such disclosures if an incident affects at least 500 customers in California. Neither it revealed that why it took so long to confirm the breach.
AT&T sent a letter to the California Attorney General explaining the recent data security breach to its mobile customers, and said that the third-party contractor’s employees who were responsible for the breach were terminated and will no longer for the company.
> “AT&T’s commitment to customer privacy and data security are top priorities, and we take those commitments very seriously. We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and April 21, 2014, and, while doing so, would have been able to view your social security number and possibly your date of birth,” the letter says.
Many mobile phone providers are provided by carriers with a software lock that prevents the devices from being used on other competitors’ networks. AT&T allows its users to typically request an "unlock code" that unlock their devices from its network and to do this the customers have to provide their own account information to verify their identities.
According to the company, the company discovered the data breach on 19 May, and it believes the alleged employees were trying to obtain the unlock codes of the devices so that they could remove devices from AT&T's network to other cellphone networks around the world for second-hand markets resale.
> “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.”
AT&T had reported the matter about the data breach to the law enforcement of United States and thereby announced that it would offer one year of free credit monitoring service for affected users.