Cyber Incident Victim: AT&T

In January 2023, AT&T experienced a data breach impacting approximately 9 million wireless customers after a third-party marketing vendor was compromised. The incident exposed Customer Proprietary Network Information (CPNI), including customer first names, wireless account numbers, wireless phone numbers, and email addresses. A small percentage of affected accounts also had additional details exposed, such as rate plan names, past due amounts, monthly payment amounts, various monthly charges, and minutes used, though this information was described as being several years old. AT&T emphasized that its own systems remained uncompromised and that the breach originated solely from the vendor environment. The company clarified that no sensitive personal information—including Social Security numbers, credit card details, or account passwords—was accessed. The exposed CPNI data primarily related to device upgrade eligibility information used for marketing purposes.

AT&T notified federal law enforcement about the unauthorized CPNI access in compliance with Federal Communications Commission requirements, though the report did not include specific customer account details. The company began directly alerting impacted customers via email from [email protected], advising them to submit CPNI Restriction Requests to disable third-party data sharing for marketing purposes as a preventive measure. While AT&T confirmed the breach’s scope and general data categories, it did not publicly identify the affected vendor or provide granular specifics about the attack methodology when queried by media outlets. The notification process and public disclosure occurred in March 2023, approximately two months after the vendor breach was discovered. No customer financial losses or account compromises were reported as a direct consequence of the incident.