The accounts of an undisclosed number of AT&T wireless customers were breached last month, exposing sensitive personal data such as Social Security numbers and birth dates, according to the company.
In a letter to customers, AT&T said the breach occurred between April 9 and April 21 and were carried out by the employees of a “service provider.”
Although AT&T didn’t reveal how many people were affected, California law requires companies to notify their customers when they’ve suffered a loss of user data in connection with a malicious attack affecting more than 500 people.
AT&T is offering all of its customers a year of free credit monitoring.
“We have taken steps to help prevent this from happening again,” the company said in a statement to The Washington Post. “We are notifying affected customers, and we have reported this matter to law enforcement.”
Unlike the data breaches that have hit retailers such as Target, there’s something unusual about this attack: AT&T says the hackers’ mission wasn’t to steal credit card numbers or commit other financial fraud.
Instead, they wanted to pretend to be an AT&T customer in order to unlock used handsets.
“AT&T believes the employees (of the outside vendor) accessed your account as part of an effort to request codes from AT&T that are used to ‘unlock’ AT&T mobile phones in the secondary mobile market,” according to AT&T’s letter to consumers.
Unlocking a device makes it possible for a user to switch from one carrier’s network to another.
AT&T and other carriers allow users to unlock their phone, but with heavy restrictions: at the beginning or end of a two-year contract. And customers must do it through their carrier — no taking it to a third-party shop.
The carriers’ tightfisted grip on when devices can be unlocked has drawn heavy complaints among consumer groups.
Critics of the policy say it unnecessarily ties consumers to their carrier and makes it hard for old devices to be reused, particularly in the vast worldwide market for refurbished phones.
The breach at AT&T makes it clear that cybercriminals are not just looking for consumers financial information. They sometimes want sensitive personal information just to make it easier to recycle used devices.