AT&T, the largest provider of mobile phone services in the United States, is in the process of alerting millions of its cellular customers that a data breach at a third-party vendor may have exposed their customer private network information (CPNI). AT&T, which is one of the major providers in the United States, has around 200 million cellular users; nevertheless, the event has only affected a tiny fraction of the total number of consumers. The massive telecommunications company claimed that these records contained so-called customer proprietary network information, the protection of which is governed by regulations. Despite this, the telco argued that the data in question was “several years old” and “mostly related to device upgrade eligibility.”
AT&T asserts that there was no breach in any of their computer systems. An AT&T official stated the following in a statement:
A security breach occurred at one of the vendors that we use with for our marketing. Consumer Proprietary Network (also known as CPN) There was an unauthorized access to the information of certain cellular accounts, which may have included the number of lines on an account or the wireless pricing plan. The material did not include any sensitive personal information such as credit card details, Social Security numbers, account passwords, or any other information of that kind. Customers that have been impacted will be notified.
AT&T stated in a notice letter that was delivered to consumers and published with The Register that the vendor has subsequently rectified whatever security deficiency led to the aforementioned issues. The letter was distributed to customers. It is also stated in the communication that AT&T “notified federal law enforcement about the improper access.” AT&T does not want to reveal the name of the vendor.
Several consumers have said that they were notified that the data that was exposed included their names, email addresses, wireless phone numbers, and wireless account numbers, in addition to “the number of lines on the account and basic equipment and installment agreement information.”
In certain instances, sensitive information such as the amount of the monthly payment, the amount that was overdue, the name of the rate plan, monthly charges, and/or the number of minutes spent was made public.
AT&T said that the material was a few years old at the very least. According to the statement made by the firm, none of AT&T’s systems were affected by the event.
Even though we are only three months into the year 2023, things are already getting off to a rough start for telecommunications firms and the efforts they are making to secure their customers’ data.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.