AT&T is informing about 9 million wireless customers that their Customer Propriety Network Information (CPNI) was accessed by an unauthorized person through a vendor’s system.
The data was several years old, mostly relating to device upgrade eligibility, AT&T said in a statement.
Importantly, the information did not contain credit card information, Social Security numbers, account passwords or other sensitive personal information, AT&T said.
“A vendor that we use for marketing experienced a security incident,” AT&T said in a statement. “We are notifying affected customers.” AT&T did not identify the vendor.
According to letters posted on an online forum, customers started receiving email messages from AT&T earlier this week. AT&T told customers that it confirmed with the vendor that the vulnerability was fixed and that it notified federal law enforcement about the unauthorized access as required by the FCC.
AT&T said its own systems were not compromised in this incident.
Data breaches are nothing new for wireless carriers, but they tend to happen more often at T-Mobile – so much so, people have wondered why AT&T and Verizon didn’t use that in their own marketing campaigns.
In January, T-Mobile reported a data breach that involved an estimated 37 million prepaid and postpaid customers. The “un-carrier” said a bad actor was obtaining data through a single Application Programming Interface (API) starting on or around November 25, 2022.
T-Mobile said it was addressing the incident and continuing to make substantial investments to strengthen its cybersecurity program.
Anshel Sag, analyst at Moor Insights & Strategy, told Fierce at that time that he didn’t think T-Mobile’s systems were any less secure than AT&T’s and Verizon’s.
Other analysts noted that T-Mobile’s data breaches aren’t affecting its ability to attract more consumers as customers, but that its desire to grow market share in the business sector could take a hit.