Internet giant, AT&T, has notified a portion of its mobile customers that may have been affected in a data breach. An employee of one of its contractors are said to have access customer information that include birth dates and social security numbers, the reason for accessing the information was to generate codes that could be used to unlock devices.
AT&T did not specify how many customers may have been affected in the breach, and it doe not appear the breach accessed any financial data. In a letter to the California Attorney, AT&T explained that the incident and specified it resulted in an immediate termination of the contractor’s employees.
“AT&T’s commitment to customer privacy and data security are top priorities, and we take those commitments very seriously. We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and April 21, 2014, and, while doing so, would have been able to view your social security number and possibly your date of birth,” the letter reads.
“AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.”
Security researchers state while the breach had no financial motive, the breach is still worrisome.
“Every custodian of consumer information, like AT&T, will face an event like this. What separates those you should trust from others is clarity and confidence in communicating when faced with an announcement like this. Customers should feel confident that the companies entrusted with their sensitive information are applying technical controls to prevent criminal misbehavior, not just hoping that their users won’t behave “counter to the way we require our vendors to conduct business,” global security strategist at Rapid7, Trey Ford, told threatpost.
“Customers and the general public will want to know when the initial breach happened, how it happened, how it was detected, and how long detection took. We want to know that the problem was contained, what data was affected, and how it might be corrected and prevented in the future. AT&T has not provided this information in its disclosure,” he continues.
In the company letter, AT&T offers affected customers a year of free credit monitoring to compensate for the possible breach. They also recommend customers change their account passcodes as a general security precaution.