US telecom AT&T has lately been having problems with malicious insiders, and the latest incident has resulted in the compromise of account and personal information of a yet unknown number of customers.
The breach notification letter sent out to affected users and to the Office of the Vermont Attorney General explains that one of the company’s employees violated their policy and security guidelines by accessing users’ account information, including the users’ social security number and driver’s license number.
“Additionally, while accessing your account, the employee would also have been able to view your Customer Proprietary Network Information (CPNI) without proper authorization,” the letter says. “CPNI is information related to the telecommunications services you purchase from us.”
The breach happened in August 2014, and it seems that some of the stolen information has been misused in the meantime. “To the extent this activity results in any unauthorized charges or changes to your account, they have been or will be reversed,” it says in the letter.
The company has offered free credit monitoring services to affected users, and advised them to place a fraud alert on their credit report. They have also urged them to change the passcode on their account (if they have set it up) or to add one if they haven’t.
According to the updated Vermont data breach notification law, notification to the Vermont Attorney General must occur within 14 business days of either the discovery of the breach or notice to the consumers, whichever is sooner, so it seems that they discovered the breach only quite recently.
The employee in question no longer works for the company.
Earlier this year, AT&T has also suffered a breach by the hands of three employees of one of its vendors, who accessed customers’ account and information in order to be able to impersonate them and get codes to unlock phones from AT&T.
UPDATE, 7 October, 12:30 PM CET According to Reuters, the number of notified and possibly affected customers is around 1,600.