Personal information of an unknown number of AT&T Mobility customers was compromised by employees of a third-party vendor seeking to unlock phones, AT&T has confirmed.
Accounts were accessed without authorization between April 9 and April 21 by employees of one of AT&T's service providers and would have provided access to Social Security numbers and dates of birth, AT&T said in a letter sent to customers. While accessing customer accounts, AT&T said the employees would also have been able to view Customer Proprietary Network Information, which includes the time, date, duration, and destination number of phone calls.
"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization," AT&T said in a statement. "This is completely counter to the way we require our vendors to conduct business...We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement."
AT&T did not say how many customers were affected, but California law requires a company to disclose incidents that affect at least 500 customers in the state. AT&T declined to offer more details on the breach.
AT&T said the accounts were accessed as "part of an effort to request codes from AT&T that are used to 'unlock' AT&T mobile phones in the secondary mobile phone market." Customers can request that phones be unlocked once they've fulfilled their wireless contract, a process most wireless carriers are willing to accommodate. Unlocked cell phones can be used on a wireless network other than that of the originating carrier, making them more valuable on the second-hand market. AT&T believes the breach was a means for the employees to spoof customer identities in order to unlock phones.
AT&T has notified law enforcement of the breach. They are also offering affected customers one year of free credit monitoring.