updated 09:12 pm EDT, Fri June 13, 2014
Names, call records, Social Security numbers may have been copied in April
In a filing with California regulators this week, AT&T has revealed that it suffered a security breach in mid-April of this year that allowed employees of a smartphone unlocking service to access personal customer records. The carrier has sent out letters to affected customers. The letter says AT&T believes its service provider copied customer records "as part of an effort to request codes from AT&T than are used to unlock AT&T mobile phones in the secondary mobile phone market."
According to the report, the copying took place between April 9-21, and that the employees of the service provider may have copied customer data, call records and Social Security numbers of customers. AT&T itself will unlock smartphones once they are completely finished with the original contract, and other carriers often have even more liberal unlocking policies. However, impatient customers or frequent travellers often resort to using third-party unlocking services which sometimes rely on borrowing a different customer's records in order to fool the carrier into providing the unlock code needed to disable the carrier-based locks on the device.
AT&T wouldn't say how many customers had been affected by the breach, but the number is thought to be large. The California law that forced the revelation of the stolen data requires such disclosures only if the breach affected more than 500 customers in the state, reports IDG.
The US House of Representatives last year passed a bill that reversed a Library of Congress decision that made unlocking smartphones without the carrier's permission (essentially giving them the sole discretion to unlock formerly-under-contract phones), but amended the original proposal to only allow unlocking by individuals who can be proven to own the phones in question, not "bulk" resellers (in an attempt to combat cellphone theft).
As the advocacy group the Electronic Frontier Foundation (EFF) explains, blocking the bulk unlockers (who acquire phones, unlock them and resell them), "sends two dangerous signals: (1) that Congress is OK with using copyright as an excuse to inhibit certain business models, even if the business isn't actually infringing anyone's copyright; and (2) that Congress still doesn't understand the collateral damage Section 1201 [of the DMCA] is causing. For example, bulk unlocking not only benefits consumers, it's good for the environment-unlocking allows re-use, and that means less electronic waste." That bill is currently stalled in the Senate.
The EFF and other unlocking proponents have since endorsed a different House bill, the Unlocking Technology Act, as it limits violation of section 1201 to "actual cases of copyright infringement," such as unauthorized persons attempting to unlock a smartphone. In the meantime, the FCC intervened in a limited way and pressured US carriers - including AT&T, which had previously had a no-unlocking policy - to honor unlock requests from customers who have paid off their contracts. However, the carriers are allowed up to a year to comply with the request. In most other countries, carriers are required to allow a smartphone to be unlocked if the customer is in good standing with the carrier following the first 90 days of the contract.