AT&T Vendor Breach Exposes Data

September 29, 2023

AT&T Vendor Breach Exposes Data of 9m Wireless Accounts. AT&T customers may have had their data exposed in a hack that affected a third-party marketing vendor. The Dallas-based telecommunications company said it notified federal law enforcement to comply with US government regulations.

AT&T reassured customers that the hack didn’t expose their credit card information, Social Security numbers or account passwords. It also emphasized that the information was several years old.

CPNI

At least nine million AT&T wireless customers had their Customer Proprietary Network Information (CPNI) accessed by hackers after a marketing vendor was hacked in January. The telecommunications company has now begun notifying customers that the breach affected their data. The good news is that the breach did not expose credit card information, Social Security numbers or account passwords.

CPNI includes details about the telecommunications services AT&T provides to its customers including how many lines are on a subscriber’s wireless account and what kind of service they are using. It is highly regulated by US federal laws. AT&T notified federal law enforcement of the breach to comply with regulations set by the Federal Communications Commission.

The hacked information did not include AT&T customers’ credit card information, Social Security numbers or account passwords, but it did expose data like first names, wireless account number, email addresses and more. Bleeping Computer notes that a small percentage of impacted customers also had their rate plan name, past due amounts, monthly payment amounts and various monthly charges and minutes used exposed.

It’s not clear how the hack occurred, but AT&T says that it did not affect its own systems and the vulnerability has now been fixed. It notified federal law enforcement about the breach as required by regulation, and it has also started notifying its own customers.

AT&T says it is providing free identity theft protection for its customers. It’s also offering a year of credit monitoring to those who have been affected. It will not be sharing CPNI with third parties and the company is working to limit the use of that data for marketing purposes. The carrier is urging customers to add extra security for their accounts by changing their passwords, adding two-step verification and enabling biometric login options.

Phone Numbers

AT&T customers may want to be on the lookout for phishing attacks after one of its third-party vendors was hacked in January, exposing some of their personal information. In a statement, AT&T confirmed that a hack affecting its marketing vendor resulted in Customer Proprietary Network Information, including first names, wireless account numbers and email addresses being exposed, but the telecom giant emphasized that its own systems weren’t compromised.

Those impacted by the breach can expect to receive an AT&T notification letter. Those letters will also include their AT&T plan name, rate plan, past due amounts and monthly payment amounts, among other data points. The data accessed was several years old and mostly related to device upgrade eligibility, AT&T noted.

AT&T isn’t alone in having to deal with such breaches this year, with rival T-Mobile having already reported that it was hacked in December 2021 and 37 million accounts were exposed. While the data breaches involving telecommunications companies may not seem as threatening as those involving financial institutions or retailers, it’s worth remembering that cyberattackers have plenty of resources to target their targets.

A telephone number is an address for switching a telephone call using a system of destination code routing, which involves the telephone exchange sending a sequence of digits to another phone exchange to complete the telephone call, either to locally connected subscribers or via the Public Switched Telephone Network (PSTN) to the called party.

A telephone number can contain up to 10 digits, and is assigned by the local phone company based on geographic location. The digits, which are entered on the originating phone set by a calling party, are transmitted in an ASCII format to the phone exchange where they are converted into the digits that appear on the recipient’s phone.

Email Addresses

The email addresses of about 9 million AT&T customers were exposed by a vendor hack in January, according to the wireless carrier. The company says that its own systems weren’t affected by the breach and that a third-party marketing vendor was hacked, exposing customer information that included first names, wireless account numbers and wireless phone numbers. The information impacted by the hack was primarily related to upgrade eligibility for devices, AT&T says. But threat actors could use this information to conduct phishing attacks, the company warns.

The data that was exposed by the breach includes people’s first names, wireless account number and wireless phone number, as well as their rate plan name, past due amounts, monthly payment amounts, various monthly charges and minutes used. AT&T says the data was several years old and didn’t affect its systems directly.

AT&T notified impacted customers in an email earlier this month, letting them know the CPNI breach was the result of “a security issue that a third-party vendor experienced.” The company said the vulnerability had been fixed and it has informed federal law enforcement agencies about the unauthorized access.

In its email to affected customers, AT&T advised those impacted to be vigilant for phishing attacks and change their passwords, if they haven’t done so already. It also told them they could opt-out of CPNI sharing by making a CPNI Restriction Request.

AT&T isn’t the only wireless carrier that has been hacked recently, with rival T-Mobile reporting a data breach involving 37 million customers in January. Massive cyberattacks are a growing concern for companies of all sizes, and the telecom industry is particularly vulnerable given the proliferation of IoT devices, push towards 5G and geopolitical conditions as carriers provide critical infrastructure to nations around the world.

Past Due Amounts

AT&T customers have started receiving emails about a data breach at one of its vendors that affected their personal information. The carrier says the hacked vendor’s systems exposed Customer Proprietary Network Information (CPNI) for around nine million wireless customers. That includes things like their rate plan names, past due amounts, monthly payment amounts and various charges and minutes used. However, AT&T emphasized that the CPNI didn’t include any credit card information, Social Security numbers or account passwords. The company also noted that the CPNI accessed was several years old.

In a letter to affected customers, AT&T said that the unnamed marketing vendor suffered a vulnerability in its systems and was hacked. It said its own systems were not breached and that it had reported the incident to law enforcement agencies. It also offered affected customers the option to add “extra security” to their password protections at no additional cost.

While AT&T reassured customers that its own systems were not compromised, the breach highlighted the growing risk of hacking against telecom companies. T-Mobile was stung by similar attacks in 2021, and the un-carrier’s rival Verizon also had to report a data breach earlier this year that affected 37 million of its customers.

AT&T’s CPNI-sharing policy requires it to get consent from its customers before sharing their data with third parties. Affected AT&T customers can reduce the chance of their information being sold by switching to a CPNI Restriction Request, which will limit AT&T from using their information for marketing purposes. But that will not prevent AT&T from contacting customers in the future to offer them services. Affected customers are also able to opt out of these notifications by sending an email to AT&T.

Monthly Payment Amounts

AT&T has notified around nine million wireless subscribers that their data has been exposed after a third-party vendor was breached. The telecommunications giant is notifying customers that their Customer Proprietary Network Information (CPNI) was compromised in the breach, which happened in January. The company says that the CPNI exposed in the hack did not include sensitive information like credit card numbers, social security numbers and account passwords.

In its emailed statement, AT&T told customers that the third-party breach affected their CPNI but did not compromise its own systems. CPNI includes information about how customers use their services, including how many lines they have on their accounts and wireless rate plans. The CPNI that was exposed in the hack included first names, wireless account numbers, wireless phone numbers and email addresses. Additionally, AT&T said that some impacted customers also had their monthly payment amounts, past due amounts, rate plan name and various monthly charges and minutes used accessed.

The company did not disclose which third-party vendor was hacked in the data breach, but it did say that it is working with the federal authorities to investigate the incident. The company is recommending that customers review their online billing statements to check for suspicious activity. It has also offered customers the opportunity to add extra security to their passwords at no cost.

In the past, hackers have hacked telecom companies to expose customer data for marketing purposes. In 2022, a ransomware group that called itself the Everest gang posted details of 70 million AT&T accounts on a dark web forum for sale. It was a massive breach that affected customers and raised questions about how the telecom industry protects its data and how it allows third-party vendors to use that data for marketing purposes.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us