IDG News Service reports AT&T has experienced a security breach that allowed employees working on behalf of a smartphone unlocking service to access personal information, call records and Social Security numbers of customers.

The second-hand unlocking market, which sees services like Chronic Unlocks charging to remove software locks on devices preventing them from being used on other carriers, continues to be somewhat of a grey area. Earlier this year the US House of Representatives passed a bill that reversed an earlier decision by the Library of Congress to make unlocking a violation of the Digital Millennium Copyright Act, but it received criticism from the Electronic Frontier Foundation and other industry watchers. The bill made unlocking allowed for individuals, but not “for the purpose of bulk resale.” Many carriers unlock devices if requested by the customer, but policies vary from carrier to carrier and country to country.

The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn’t say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.

“Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,” the company said in a letter to affected customers. “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T than are used to unlock AT&T mobile phones in the secondary mobile phone market.”

[tweet https://twitter.com/chronic/status/477571317244256256]