This article is more than 1 year old

AT&T blames marketing bods for exposing 9M accounts

Says it was old and boring data, so that's OK, then ...

AT&T has confirmed that miscreants had access to nine million of its wireless customers' account details after a vendor's network was broken into in January.

The telecommunications giant told us these records included so-called customer proprietary network information, the safeguarding of which is regulated — though the telco argued the data said was "several years old," and "mostly relating to device upgrade eligibility."

According to AT&T, its systems were not compromised. In a statement to The Register today, an AT&T spokesperson said:

A vendor that we use for marketing experienced a security incident. Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan. The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers.

According to the notification letter sent to customers and shared with The Register, AT&T confirmed that the vendor has since addressed whatever security shortcoming led to the above. The missive also says AT&T "notified federal law enforcement about the unauthorized access."

The US carrier also recommended customers add "extra security" password protection to compromised accounts, which comes at no charge.

AT&T declined to identify the vendor. While The Register has absolutely no proof the two are related, we will note that email marketing firm Mailchimp was also breached in January and said intruders gained access to more than 100 customer accounts.

In a seemingly similar incident last summer, Hold Security said it had discovered stolen data for sale that included names, Social Security numbers, dates of birth, email and physical addresses, and phone numbers belonging to about 23 million Americans that, "likely belongs to AT&T customers."

While we're not even a full three months into 2023, the year is already off to a rocky start for telecommunications companies and their data security efforts.

Last month Canadian communications giant Telus told The Register that it is investigating whether crooks have stolen employee data and its source code, all of which is being offered for sale on a criminal forum.

And in January another carrier, T-Mobile US, admitted a data breach in which someone abused an API to download personal information belonging to 37 million subscribers. This was the network operator's sixth security snafu in five years. ®

More about

TIP US OFF

Send us news


Other stories you might like