AT&T alerts 9 million customers of data breach after vendor hack

AT&T is notifying roughly 9 million customers that some of their information was exposed after a marketing vendor was hacked in January.

"Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan," AT&T told BleepingComputer.

"The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers.

While the data breach notification does not share the number of impacted customers, AT&T told BleepingComputer that "approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed."

The company said the exposed data set was several years old and is mostly associated with device upgrade eligibility. It added that none of its systems were compromised in the vendor security incident.

The exposed CPNI data includes information related to its services, such as the number of lines linked to a customer's account or the wireless plan to which they are subscribed, according to AT&T.

However, AT&T's privacy policy says that while CPNI doesn't include the users' telephone number, name, and address, it does contain "details about who you've called."

Law enforcement alerted of the breach

"​We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission," AT&T says in the CPNI breach notification letters, first spotted by DataBreaches.net and sent from att@message.att-mail.com.

"Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​"

Customers are advised to toggle off CPNI data sharing on their accounts by making a CPNI Restriction Request to reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.

An AT&T spokesperson is yet to reply to an email asking for more info on what specific information was exposed in the incident and what vendor was breached for this data to be exposed.

In August 2021, AT&T denied a data breach after a notorious threat actor put up for sale a database containing what he claimed to be the personal information of 70 million AT&T customers.