Number of customers affected is unknown; theft may have been aimed at unlocking stolen smartphones

A series of "snail-mail" (traditional postage) letters and an accompanying filing with the Office of the Attorney General for the State of Calif. (OAG-CA), AT&T, Inc. (T) has disclosed a data breach, which has affected an unspecified number of U.S. wireless subscribers.

The breach occurred between April 9 and 21.  During that time, AT&T accuses three contractors working at an unnamed service provider of abusing their access to customer records to download a treasure trove of personal/financial information on customers, including:
  • social security numbers (only some customers)
  • dates of birth
The attack was discovered on May 19, according to the filing.

AT&T spokesman Seth Bloom gave DailyTech the following statement:

We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.

AT&T wrote in the letter that it believes the contractors were involved with efforts to unlock smartphones, hinting that the end goal might be to restore traffic to stolen devices.  With growing income disparity, theft of high-end electronics such as smartphones is on the rise in America; in 2013 1.4 million smartphones were stolen and not recovered [source].

smartphones thief
The illegally obtained customer data could be abused in attempts to unlock stolen smartphones. [Image Source: Android Headlines]

But it's possible that the contractors stole client data to allow customers who legally own their phones, but wish to protect their privacy, to unlock their devices.  AT&T's current rules (similar to other carriers) -- which came into place in 2012 -- allow you to take a device you legally own to another carrier, if you pay early termination fees (ETFs) (if your contract is not complete).  However, you must provide personal information (including a valid social security number) in order to complete that process.

While legal subscribers almost certainly have already given that information to AT&T, some might hesitate at handing it out a second time.  Using stolen credentials it would be possible for a device to masquerade as a legitimate subscriber's handset and step through the unlocking process without giving out personal information.

The breach was revealed this week via the letters to customers and the letter to Calif., which was written as Calif. state law (Calif. CC § 1798.80) mandate companies to disclose any data breach affecting more than 500 customers.  How many more customers were affected is currently unknown.

AT&T blue plastic
[Image Source: Reuters]

Much like Target Corp. (TGT) did with its recent breach, AT&T is offering affected customers a year of free credit monitoring services to protect them from illegal charges.  For now customers can be guardedly optimistic that the breach might have been done for more innocent reasons, unlike the Target breach which was clearly a financial theft operation against customers.
AT&T customers should be on the lookout for suspicious charges, though, until the extent of the breach is known.  AT&T is America's second largest carrier, with roughly 76 million subscribers, behind only Verizon Communications Inc.'s (VZ) Verizon Wireless network, which has more than 96 million subscribers.  AT&T also provides landline, cable internet (Uverse), and enterprise IT services.

Sources: AT&T, Office of the Attorney General for the State of Calif., Business Insider

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Latest Blog Posts
Xiaomi Mi 6 Smartphone.
Nenfort Golit - Aug 8, 2017, 6:00 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki