AT&T alerts 9 million customers of data breach after vendor hack

AT&T is notifying roughly 9 million customers that some of their information was exposed after a marketing vendor was hacked in January.

"Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan," AT&T told BleepingComputer.

"The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers."

While the data breach notification does not share the number of impacted customers, AT&T told BleepingComputer that "approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed."

Exposed CPNI data includes customer first names, wireless account numbers, wireless phone numbers, and email addresses.

"A small percentage of impacted customers also had exposure of rate plan name, past due amount, monthly payment amount, various monthly charges and/or minutes used. The information was several years old," AT&T said.

The company added that its systems were not compromised in the vendor security incident and that the exposed data is mostly associated with device upgrade eligibility.

Law enforcement alerted of the breach

"​We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission," AT&T says in the CPNI breach notification letters, first spotted by DataBreaches.net and sent from att@message.att-mail.com.

"Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​"

Customers are advised to toggle off CPNI data sharing on their accounts by making a CPNI Restriction Request to reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.

An AT&T spokesperson is yet to reply to an email asking for more info on what specific information was exposed in the incident and what vendor was breached for this data to be exposed.

In August 2021, AT&T denied a data breach after a notorious threat actor put up for sale a database containing what he claimed to be the personal information of 70 million AT&T customers.

Update March 09, 14:59 EST: Added more details on exposed customer information.