AT&T says 9 million customers exposed in January vendor breach

Telecommunications giant AT&T confirmed this week that a breach exposed the sensitive information of about 9 million customers.

A spokesperson told The Record that the leaked dataset was several years old and related to device upgrade eligibility.

AT&T’s own systems were not compromised, the company said, but they would not say which third-party vendor was attacked, only explaining that they were told the breach occurred in January.

The data accessed was from Customer Proprietary Network Information that telecommunications companies collect about subscribers – including details about how customers use services, as well as charges.

“A vendor that we use for marketing experienced a security incident. Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan,” the spokesperson said.

“The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information.”

DataBreaches.net was the first to report that AT&T sent out breach notification letters to the 9 million victims.

In an AT&T community forum on Monday, a customer asked whether a breach notification letter they had received was legitimate.

In the letter, the company said an “unauthorized person” breached a vendor system but no sensitive information was accessed.

The company said they confirmed with the vendor that the vulnerability was fixed and that federal law enforcement was notified about the breach due to Federal Communications Commission regulations.

They urged customers to add additional password protection to their accounts.

This is not AT&T’s first run-in with a vendor breach. In August 2022, the company said a database of stolen information that included the Social Security numbers of 23 million Americans “may be tied to a previous data incident at another company.” They denied that it was a breach of their own systems and said it likely involved information resurfaced from a past breach.

BleepingComputer reported in 2021 that well-known hacking group ShinyHunters was selling a database of stolen information on a dark web forum that had the sensitive information of more than 70 million AT&T customers.

In January, the Federal Communications Commission voted unanimously to investigate potential changes to the breach notification rules for telecommunications companies – citing several breaches at AT&T and several of the country’s largest telecommunications companies.