AT&T confirms data breach as hackers hunted for codes to unlock phones

AT&T Mobility (NYSE: T) confirmed that three employees of one of its vendors, which it did not name, accessed an unknown number of customers' personal information, including Social Security numbers and call records, between April 9 and April 21. The hackers were not after credit card information or other financial details, but rather were trying to pretend they were AT&T customers so they could get codes from AT&T to unlock phones.

Although the breach occurred around two months ago AT&T only disclosed the breach late last week with a filing with California regulators. It's unclear how many customers were affected or if customers outside of California were affected,  but California law requires such disclosures if a data breach impacts at least 500 customers in California.

"Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization," the company said in a letter to affected customers. "AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to 'unlock' AT&T mobile phones in the secondary mobile phone market."

Carriers often use software to lock phones to their networks but can unlock them for customers if subscribers request an "unlock code"  from carriers. An unlocked phone can be moved to another network, though that does not mean that it will work exactly the same way on another network due to differences in the spectrum bands used by carriers, and the corresponding, radios and chipsets they have in their devices. In the U.S., AT&T and T-Mobile US (NYSE:TMUS) have the most similar networks, and unlocked phones are also valuable on the secondary market around the world.

"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization," AT&T said in a statement distributed to multiple media outlets. "This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement."

According to IDG News Service, AT&T declined to comment on whether the phones that the hackers were trying to unlock had found their way to the second-hand market through legitimate channels because of theft. The CTIA has noted that carriers have set up a national database to meant to deactivate phones that have been reported stolen. However, several police officials have said that the database has been ineffective in deterring crime because many of the stolen phones end up overseas, where the database is not in force. In late November 2013 CTIA announced the launch of a global, multi-carrier, common database for LTE smartphones.

It's unclear how much AT&T's policy on locking phones contributed to the data breach. AT&T, along with Verizon Wireless (NYSE: VZ), Sprint (NYSE: S), T-Mobile and U.S. Cellular (NYSE:USM), agreed in December 2013 to simplify and standardize their policies on unlocking cell phones and tablets.  The CTIA and the carriers will recommend that six principles on unlocking devices be added into the CTIA's consumer code for wireless service.

According to the CTIA, the six "principles" around cell phone unlocking are:

1. Disclosure: Carriers will clearly explain their policies on unlocking

2. Postpaid Unlocking Policy: Once customers finish their service contracts on postpaid plans, carriers will--upon request--unlock customers' phones.

3. Prepaid Unlocking Policy: Carriers, upon request, will unlock prepaid phones no later than one year after activation.

4. Notice: Carriers agree to notify customers when their phones are eligible for unlocking. Carriers can also charge non-customers a fee to unlock phones.

5. Response Time: Carriers will unlock phones within two business days.

6. Deployed Personnel Unlocking Policy: Carriers will unlock the phones of military who are deployed.

Despite the commitments, carriers have until December 2014 to implement all of the principles as part of their service. AT&T spokesman declined to address the issue, according to the Washington Post.

For more:
- see this IDG News Service article
- see this Re/code article
- see this CNET article
- see this Washington Post article

Related Articles:
Verizon, AT&T, Sprint and T-Mobile say customers are protected from Heartbleed bug
Verizon, AT&T, Sprint, T-Mobile and U.S. Cellular agree to new cell phone unlocking rules
FCC, carriers reportedly near deal on cell phone unlocking
FCC's Wheeler pressures CTIA to clarify carriers' phone unlocking policy
NTIA pushes FCC to mandate free cell phone unlocking