AT&T has acknowledged that its network was inappropriately accessed.
In April, three employees of one of its vendors hacked in and had access to customer records, including Social Security numbers, in some instances, and call records, Dallas Business Journal reported June 13.
The hack was part of an effort to unlock older phones for use on other networks, AT&T told affected customers in a letter sent out last week.
AT&T hasn't said how many customers were affected, but California law requires businesses to alert customers when more than 500 customers are at risk, according to Hawaii News.
That site posted a copy of a letter AT&T sent to the California Better Business Bureau, showing what was sent to customers. One version of the letter, AT&T explained to the BBB, said that Social Security numbers and possibly birth dates were exposed, while others letters said only birth dates.
The letters, sent by Brian E. Woolverton, director of Consumer Centers Sales & Service, added that the hack had no impact to customers' mobile devices, and that the vendor has let the employees go.
To "address any inconvenience," Woolverton said AT&T has taken two steps: It has notified federal law enforcement of the unauthorized access of Customer Proprietary Network Information (CPNI), and it has arranged to offer customers one year of free credit monitoring. The service is already paid for, but customers will need to enroll themselves for it to begin.
"You may also want to consider contacting the major credit reporting agencies to place a fraud alert on your credit report, and to learn about identity theft programs offered by the Federal Trade Commission," wrote Woolverton.
He also encouraged customers to change the passcodes on their accounts, or if they don't have a passcode, to add one, and noted that alerting federal law enforcement of the matter didn't cause any delay to customers being notified. However, he didn't say why the notification was coming two months after the break-in.
Woolverton offered his "sincere apology" for the incident.
In a statement to the press, AT&T said:
"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers and reported this matter to law enforcement."