AT&T has notified some of its mobile customers that employees of one of its contractors accessed some customer information, including birth dates and Social Security numbers, in an effort to generate codes that could be used to unlock devices.
The company did not specify how many customers were affected by the breach, and it doesn’t appear that any financial information was accessed. AT&T sent a letter to the California Attorney General explaining the breach, and said that as a result of the incident, the contractor’s employees who were responsible for the breach were terminated.
“AT&T’s commitment to customer privacy and data security are top priorities, and we take those commitments very seriously. We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and April 21, 2014, and, while doing so, would have been able to view your social security number and possibly your date of birth,” the letter says.
“AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.”
Security experts say that while there was apparently no direct financial effect on customers, the breach is still concerning.
“Every custodian of consumer information, like AT&T, will face an event like this. What separates those you should trust from others is clarity and confidence in communicating when faced with an announcement like this. Customers should feel confident that the companies entrusted with their sensitive information are applying technical controls to prevent criminal misbehavior, not just hoping that their users won’t behave “counter to the way we require our vendors to conduct business,” said Trey Ford, global security strategist at Rapid7.
“Customers and the general public will want to know when the initial breach happened, how it happened, how it was detected, and how long detection took. We want to know that the problem was contained, what data was affected, and how it might be corrected and prevented in the future. AT&T has not provided this information in its disclosure.”
In its letter, AT&T said that it is offering affected customers a year of free credit monitoring and is recommending that people change the passcodes on their accounts as a precaution.