AT&T has notified approximately 9 million customers that some of their information was exposed in a data breach that occurred in January. The company said that the customer proprietary network information (CPNI) from some wireless accounts was exposed.
This includes customer first names, wireless account numbers, wireless phone numbers, and email addresses. A small percentage of impacted customers had additional data exposed, such as rate plan name, past due amount, monthly payment amount, various monthly charges, and/or minutes used.
The exposed data is mostly associated with device upgrade eligibility, and the information was several years old. The breach did not expose credit card information, social security numbers, account passwords, or other sensitive personal information.
AT&T said that a marketing vendor was hacked, and its CPNI data was accessed. The company’s systems were not compromised in the vendor security incident. The exposed data is used for third-party vendor marketing purposes.
The company has notified law enforcement about the unauthorized access of customer CPNI, as required by the Federal Communications Commission. Customers are advised to toggle off CPNI data sharing on their accounts to reduce exposure risks in the future.
In August 2021, AT&T denied a data breach after a notorious threat actor put up for sale a database containing what he claimed to be the personal information of 70 million AT&T customers.
The current data breach notification does not share the number of impacted customers. AT&T has not yet provided more information on what specific information was exposed in the incident and what vendor was breached for this data to be exposed.