Customer info accessed by third-party unlocking service in AT&T security breach

AT&T (building logo 001)

AT&T has confirmed with ITWorld that it has suffered a security breach where customer information was accessed. The breach actually occurred back in April, but was only disclosed this week by the company in a filing with California regulators.

According to the report, personal information—including social security numbers and call records—was accessed for an unknown number of customers in the breach. It’s believed the attack was part of an effort to obtain unlock codes from the carrier…

Here’s more from ITWorld (via 9to5Mac):

“Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,” the company said in a letter to affected customers. “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T than are used to unlock AT&T mobile phones in the secondary mobile phone market.”

And here’s AT&T’s statement on the matter:

“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, we are notifying affected customers, and we have reported this matter to law enforcement.”

Unlocking has become a hot business in recent years—particularly here in the US, where most providers still lock devices to prevent them from being used on other networks. It’s also a major political issue, with a bill in the works to change carrier practices.

AT&T says the breach took place between April 9-21, but wouldn’t say how many customers were affected. As noted by ITWorld, however, California state law only requires disclosures like this if the incident affects 500+ customers, so it’s at least that many.

The last major AT&T hack occurred in 2010, when Andrew “Weev” Auernheimer infiltrated the company’s servers and obtained some 100K iPad owner email addresses. He was convicted under the Computer Fraud & Abuse Act, and sentenced to 3 years in jail.