US mobile phone carrier AT&T is notifying millions of wireless customers that their customer proprietary network information (CPNI) was compromised in a data breach at a third-party vendor.
One of the largest carriers in the US, AT&T has roughly 200 million wireless customers, but only a small percentage of the total has been impacted by the incident.
“Approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed,” AT&T said in an emailed statement.
“We recently determined that an unauthorized person breached a vendor’s system and gained access to your ‘customer proprietary network information’ (CPNI),” the company told impacted customers in an email notification, copies of which were shared by users on AT&T’s community forums.
“In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed,” AT&T continued.
The impacted vendor, AT&T told SecurityWeek, provides marketing services. No personal or financial information was impacted in the data breach.
“A vendor that we use for marketing experienced a security incident. Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan. The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers,” AT&T said.
The notification emails to customers also informed them that the issue was resolved and that authorities were informed of the incident.
“Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred,” the company said.
Some users reported they were informed that the exposed data included names, email addresses, wireless phone numbers, and wireless account numbers, along with “the number of lines on the account and basic device and installment agreement information”.
In some cases, information such as monthly payment amount, past due amount, rate plan name, and monthly charges and/or minutes used was also exposed.
According to AT&T, the information was several years old. No AT&T systems were compromised in the incident, the company said.
*Updated with commentary from AT&T
Related: Hackers Claim to Have Data of 70 Million AT&T Customers
Related: Media Giant News Corp Discloses New Details of Data Breach
