AT&T this week confirmed important customer data was accessed without authorization by a third-party vendor attempting to unlock phones, with info like social security numbers and dates of birth potentially at risk; AT&T also said time, date, duration and destination number of phone calls may have also been obtained. The carrier confirmed in a statement the attack took place between April 9 and April 21, with those affected having already been notified.
"This is completely counter to the way we require our vendors to conduct business…We have taken steps to prevent this from happening again, notified affected customers, and reported this matter to law enforcement."
It doesn't appear this is a particularly widespread issue, though AT&T refrained from disclosing how many customers may have been affected. As CNET notes, California law requires a company to make disclosures of incidents that affect at least 500 customers in the state. That doesn't mean, however, that a significant number of customer data in other states wasn't compromised.
The information was apparently accessed through a vendor seeking to unlock AT&T phones for use outside of the carrier's network. AT&T does provide its own unlocking service, though only once a customer's contract obligations have been fulfilled. As part of the incident, AT&T has offered on free year of credit monitoring to those affected.