AT&T is informing customers about a data breach at a vendor’s system that allowed threat actors to gain access to AT&T’s Customer Proprietary Network Information (CPNI).
The incident came to light after customers posted the email communication from AT&T on community forums to know if it was legitimate or email fraud.
“We recently determined that an unauthorized person breached a vendor’s system and gained access to your ‘Customer Proprietary Network Information’ (CPNI),” AT&T said in the email.
About nine million customers affected
Approximately nine million customers’ CPNI was accessed by the threat actors, according to a statement given by the company to Bleeping Computer.
CPNI is the information that telecommunication companies in the US acquire about subscribers and includes information on the services they use, the amount paid for the services, and the type of usage. This information is used by third-party communication vendor companies for marketing purposes. Accessing CPNI information typically requires a warrant from a law enforcement agency.
“In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed,” AT&T said in its email to affected customers assuring them that no sensitive personal or financial information such as social security number or credit card information was accessed.
AT&T’s marketing vendor suffered a security failure in January. Exposed CPNI data of AT&T customers included first names, wireless account numbers, wireless phone numbers, and