An undisclosed number of AT&T wireless customers have had their accounts broken into, exposing sensitive personal data like Social Security numbers and dates of birth, according to the company.
In a letter to customers, AT&T is telling users that the breach occurred between April 9 and April 21, and by way of apology, the company is offering a year of free credit monitoring. Although AT&T didn't reveal how many people were affected, California law requires companies to notify their customers when they've suffered a loss of user data in connection with a malicious attack affecting more than 500 people.
"We have taken steps to help prevent this from happening again," the company said in a statement to The Washington Post. "We are notifying affected customers, and we have reported this matter to law enforcement."
Unlike the relatively straightforward data breaches involving Target and P.F. Chang's, though, there's something unusual about this attack: AT&T says the hackers' intent wasn't to steal credit card numbers or commit other financial fraud. Instead, all they wanted was to pretend to be an AT&T customer so they could do something far more benign: unlock old, used handsets.
"AT&T believes the employees [from an outside service vendor] accessed your account as part of an effort to request codes from AT&T that are used to 'unlock' AT&T mobile phones in the secondary mobile market," AT&T's letter to consumers read.
The process of unlocking frees up a device so that it can be taken from one carrier's network to another. It's nice to be able to do when you want to bring your phone from, say, AT&T, to T-Mobile, or if you want to take your phone on a trip overseas. AT&T and other carriers currently let you unlock your phone, but with heavy restrictions: You can only do it at the end of your two-year contract, or at the beginning. And you must do it through your carrier — no taking it to a third-party shop while you're on the ground in Karachi or wherever you are.
The carriers' tightfisted grip on when you can unlock your own device has drawn heavy complaints among consumer groups. Critics of the policy say it unnecessarily ties consumers to their carrier and makes it hard for old devices to be reused, particularly in the vast worldwide market for refurbished phones. Now with the breach at AT&T, it's clear there are people out there who will compromise our most sensitive information just to make it easier to recycle used devices.
In light of that, it may be fair to ask whether this whole hacking episode could have been averted if the carriers adopted a more progressive policy on cellphone unlocking. An AT&T spokesman declined to address the issue. Wireless industry officials have argued that the tighter controls help limit a "gray market" for stolen phones that, because of their uncertain provenance, could be loaded with malware designed to steal the user's personal information.
Ironically, the carriers' tough stance on cellphone unlocking may have just led to that outcome, anyway.