Cellular and digital service provider AT&T has had to inform an undisclosed number of customers of a security breach in which three contracted workers accessed personally identifiable information. Apparently they were intent on finding the correct information needed to “unlock” cell phones, so one assumption from the company is that only customers whose phones have been stolen are under threat. These workers were authorized to access AT&T’s customer information, but not for these purposes.

AT&T is one cellular service provider that allows its customers to “unlock” their phones from AT&T’s network in order to switch to a new service provider. This is actually a very generous policy on the part of the phone company, because it means a customer whose service contract has expired is free to take his phone to another company without having to purchase a new one or sign a contract to receive a discounted phone.

However, in order to “unlock” his phone from the network, the customer must be able to provide all of his secure data to the AT&T representative who is assisting him. This prevents thieves from stealing a phone, calling the company to unlock it, and initiating service elsewhere.

The company believes the contractors were attempting to steal the necessary information to unlock previously stolen phones by looking up those specific customers’ accounts. Unfortunately, that information includes addresses, Social Security numbers, and more, so the threat of a full identity theft is still possible.

While the company has not announced how many customers this breach affected, California law requires a company to inform the state attorney general if the number is higher than 500, and AT&T has alerted the AG’s office of this breach.

The company mailed letters to the customers who may have been impacted by this, outlining the steps they should take at this point. Unfortunately, the breach occurred in April of this year, and while AT&T has not explained why it waited so long before informing the public, the affected customers will be granted one-year paid access to a credit monitoring service in light of the loss of personal information.

What makes this data breach most troubling is the exposure of Social Security numbers. While many of the breaches that have been making major headlines recently have a much larger number of individuals affected, this breach has the potential to be much more dangerous.  Breaches where card information is exposed are annoying and can lead to financial identity theft and fraud, but once a consumer knows that their card has, or has the potential to be used fraudulently, they can cancel the card and get a new one.

When a Social Security number is exposed there is the potential for serious identity theft to occur including medical, governmental and criminal identity theft.  These types of identity theft, along with the ability of identity thieves to continue to use the Social Security number to open up new lines of credit, are a lifelong problem and a year of credit monitoring is not going to be sufficient to help victims who have their Social Security number used by identity thieves.

That being said, let’s hope that the purposes of these specific thieves were to just “unlock” cell phones and not for far more nefarious purposes.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.