AT&T late last week confirmed that three employees of one of the company’s vendors accessed personal data belonging to some of its customers for almost two weeks in April. The company did not say how many accounts were affected during the data breach, or why it took so long to confirm it.

“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization,” AT&T executive director for media relations Mark Siegel told Re/code. “This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.”

The Register further notes that according to California law, companies are required to issue a public disclosure any time they suffer a breach that affects more than 500 residents.

AT&T has filed documents with the California Attorney General’s office that reveal more details about what actually happened. Between April 9 and April 21, three unnamed employees accessed personal data including social security numbers and dates of birth in an unlocking scheme. The hackers would have also been able to access the Customer Proprietary Network Information (CPNI) during the process, which is information related to what subscribers purchase from AT&T.

The information is needed to unlock certain devices locked to AT&T’s network, and then resell them.

AT&T apparently contacted customers who have been affected via snail mail, with the carrier saying it will offer them one year of credit monitoring services free of charge. AT&T is also advising them to immediately change the passwords of their accounts.

AT&T’s letter to customers is available at the source link below.