AT&T has begun mailing out letters to customers affected by a data breach that allowed employees of a “service provider” to access customer account information, including customers’ dates of birth and Social Security numbers. The data was exposed in April through a system used to obtain unlocking codes for used AT&T phones for resale, according to the letter, which has been posted by California’s Office of the Attorney General.
“We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and 21, 2014, and while doing so would have been able to view your social security number and possibly your date of birth…," notes the letter. "Additionally, while in your account, these individuals would also have been able to view your Customer Proprietary Network Information (CPNI).”
CPNI data includes the information usually visible on a phone bill—including call activity metadata.