AT&T is notifying approximately 9 million customers that some of their information was exposed after a marketing provider was hacked in January.
“Customer proprietary network information of some wireless accounts, such as the number of lines on an account or the wireless rate plan, was exposed,” AT&T told BleepingComputer.
“The information did not contain credit card information, social security number, account passwords or other sensitive personal information. We are notifying affected customers.”
While the data breach notification doesn’t share the number of customers affected, AT&T told BleepingComputer that “approximately 9 million wireless accounts had access to customer-proprietary network information.”
Exposed CPNI data includes customer names, mobile account numbers, mobile phone numbers, and email addresses.
“A small percentage of affected customers also had exposure of rate plan name, amount due, monthly payment amount, various monthly charges and/or minutes used. The information was several years old,” AT&T said.
The company added that its systems were not compromised in the carrier security incident and that the exposed data is primarily associated with device upgrade eligibility.
Police alerted to non-compliance
“We have notified federal law enforcement of the unauthorized access to your CPNI as required by the Federal Communications Commission,” AT&T says in the CPNI breach notification letters, first spotted by DataBreaches.net and sent from [email protected] message.att-mail. com.
“Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.”
Customers are encouraged to turn off CPNI data sharing on their accounts when making a CPNI Restriction Request to reduce future exposure risks if used by AT&T for third-party vendor marketing purposes.
An AT&T spokesperson has not yet responded to an email requesting more information about what specific information was exposed in the incident and which provider was breached to expose this data.
In August 2021, AT&T denied a data breach after a notorious threat actor put up for sale a database containing what he claimed was the personal information of 70 million AT&T customers.
Update Mar 09, 02:59 PM EST: Added more details about exposed customer information.
