Telecoms giant AT&T exposed 9 million customer records in a third-party data breach. AT&T said the breach exposed Customer Proprietary Network Information (CPNI) such as the number of lines or subscribed wireless plan. This information is highly regulated by U.S. federal laws.
Subsequently, the Dallas, Texas-based telecommunications company notified federal law enforcement about the unauthorized access to comply with the Federal Communications Commission’s regulations.
“Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred,” AT&T posted on the community forum.
Personal information exposed in AT&T third-party data breach
AT&T said the third-party data breach exposed customers’ first names, wireless account numbers, wireless phone numbers, and email addresses. Some wireless accounts also leaked the rate plan name, past due amount, monthly payment amount, monthly charges, or minutes used.
However, the third-party data breach did not expose “credit card information, Social Security Number, account passwords or other sensitive personal information.”
Describing the incident as a supply chain attack, AT&T explained that most customer data leaked related to device upgrade eligibility and was several years old.
Although it withheld the identity of the compromised third-party vendor, AT&T said the incident occurred in January.
The telecoms giant responded to an AT&T customer asking if the data breach notification they received was authentic or an attempted email phishing attack. AT&T sent the breach notifications from the address ‘att@message.att-mail[.]com’ which some security-conscious users suspected was an impersonation attempt.
The operator also clarified that its systems were not compromised during the incident, and the breached marketing vendor had fixed the flaw to prevent further exploitation. Additionally, the telecoms giant promised to notify all impacted customers, with some indicating they had already received an email alert.
Meanwhile, AT&T advised its subscribers to add extra password security measures, such as adding access passcodes, to protect their accounts.
Although the third-party data breach did not leak credit cards or social security numbers, victims are still at risk of targeted phishing attacks, which could eventually expose sensitive personal and financial information.
Users should protect their accounts with strong passwords, avoid password reuse, enable multifactor authentication, avoid clicking on unsolicited emails, and monitor their accounts for suspicious activity.
Telecommunications companies are lucrative targets
Meanwhile, the AT&T third-party data breach pales compared to the recent T-Mobile leak that exposed the personal information of 37 million subscribers via a vulnerable API.
Telecommunications companies have always been a lucrative target for financially-motivated hackers and state-sponsored threat actors.
In June 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned about Chinese state-sponsored hackers targeting telecommunications companies via common vulnerabilities and exposures.
The American government considers telecommunication companies crucial elements of the nation’s critical infrastructure, whose disruption would seriously impact the economy and national security.
