Carriers’ tight grip on cellphone unlocking seems to have resulted in a cyberattack
by Bryan Fung, The Washington Post (blog)
In a letter to customers, AT&T is telling users that the breach occurred between April 9 and April 21, and by way of apology, the company is offering a year of free credit monitoring. Although AT&T didn’t reveal how many people were affected, California law requires companies to notify their customers when they’ve suffered a loss of user data in connection with a malicious attack affecting more than 500 people.
“We have taken steps to help prevent this from happening again,” the company said in a statement to The Washington Post. “We are notifying affected customers, and we have reported this matter to law enforcement.”
Unlike the relatively straightforward data breaches involving Target and P.F. Chang’s, though, there’s something unusual about this attack: AT&T says the hackers’ intent wasn’t to steal credit card numbers or commit other financial fraud. Instead, all they wanted was to pretend to be an AT&T customer so they could do something far more benign: unlock old, used handsets.
The process of unlocking frees up a device so that it can be taken from one carrier’s network to another. It’s nice to be able to do when you want to bring your phone from, say, AT&T, to T-Mobile, or if you want to take your phone on a trip overseas. AT&T and other carriers currently let you unlock your phone, but with heavy restrictions: You can only do it at the end of your two-year contract, or at the beginning. And you must do it through your carrier — no taking it to a third-party shop while you’re on the ground in Karachi or wherever you are.
The carriers’ tightfisted grip on when you can unlock your own device has drawn heavy complaints among consumer groups. Critics of the policy say it unnecessarily ties consumers to their carrier and makes it hard for old devices to be reused, particularly in the vast worldwide market for refurbished phones. Now with the breach at AT&T, it’s clear there are people out there who will compromise our most sensitive information just to make it easier to recycle used devices.