AT&T confirmed a data security breach that occurred over two weeks in April, adding it was an inside job at one of AT&T’s vendors.
AT&T did not say how many accounts were affected in the two-week breach, although California law requires companies publicly disclose any data breaches that affect more than 500 people.
AT&T also didn’t say why it took two months to announce what had happened. We’ve reached out to the company for further comment.
According to AT&T, three contractors at an unnamed service provider working with AT&T accessed customers’ personal data records between April 9 and 21, including their social security numbers and dates of birth. AT&T said the employees were trying to obtain unlock codes so they could remove devices from AT&T’s network and allow them to be resold. AT&T allows customers to unlock their devices from its network so long as they supply their own account information to verify their identities.
AT&T disclosed the breach in a filing to the California Attorney General’s office, but also reportedly “snail-mailed” letters to every customer affected by the breach. AT&T told those customers to change the passwords affected with their accounts, but said it would offer one year of free credit monitoring services for those same customers in case their personal information is used to make unauthorised charges.
Mark Siegel, AT&T’s executive director for media relations, also emailed the following statement to Re/code on Friday:
We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.
Business Insider Emails & Alerts
Site highlights each day to your inbox.