(I just started working at Google, and getting at any user data, eg for debugging of a complicated problem, is the single biggest pile of paperwork they make you do. Even anonymized logs.)
Not the OP, and it's not about AT&T, but I once knew a HR person who worked for a big and world-renowned telecom company in my (East-European) country. At some point she started to suspect her then-boyfriend of cheating on her, and to convince herself she "nicely asked" one of her IT colleagues at her job to look through the SMS messages of her boyfriend stored in the company's systems (because, presumably, she couldn't lay her hands on her boyfriend's phone directly). Said IT guy did just that, i.e. informed my former acquaintance of the SMS messages on her boyfriend's phone.
I used to work for a large midwestern wireless company and since it was "family owned" there were a ton of lax rules about stuff.
People would go through users telephone logs, listen to their voicemails and read their SMS messages. If you had the right access, it was a wide open system with little or no safeguards on it. I think back on it now and am appalled, but at the time it was a kind of running joke to the guys in tech support.
Some years ago I was working contract for a large employer. Among other systems I had access to was the LDAP database (effectively: the full company directory).
My contract agency requested that I provide them with a company directory. I found the least helpful way to comply with that I could, with minimal information. Though thinking back on this, I 1) probably shouldn't even have done that, 2) should have refused the request, and 3) should have reported the request to the client.
And that's one of the, generally, more upstanding contract shops I've dealt with (still have occasional relations though no further gigs to date).
Dealing with ethics in the heat of it, especially where an engineering mindset tends to "this is a problem I should figure out how to solve" can be ... interesting.
More to the point: confidentiality of customer data is at best a secondary concern, and often not at all, until it becomes "a problem" (lawsuit, news scandal).
More story time.
I worked for a firm providing services to a large revolving consumer credit organization. These companies are essentially two things: a really impressive transactions processing network (the volume of traffic they handle is immense), and branding.
Think of all the credit card commercials you've seen. That's the branding side at work.
As a contractor of theirs, there was a requirement to go through their data security training.
And while, yes, PII (personally identifiable information) was a concern, the vast bulk of the message, and emphatically highest concern, was with the brand, business plans, and similar information. That is, a company with vast holdings of personal information (described by a military acquaintance with intelligence ties in the late 1990s as "more than we've got" from the perspective of the TLAs, though that status may have since changed), was more concerned with how its trademarks and marketing campaigns were protected was ... revealing.
Gotta focus on them core competencies. Identical services don't market themselves, someone has got to spend a lot of money to convince people of their uniqueness, and that makes security secondary.
And some of them rely on the goodwill / honesty of the employees that have access to said sensitive data. Might not be the best way to go around it, but it does happen.
I used to work for a company contracted to a major US Telecom to provide certain SMS related network services. There were basically zero protections on user data. Anyone who wanted to could watch the stream of SMSs go by.
The subscriber <-> circuit <-> address mapping seems like it would be pretty essential to most of AT&T's field operations.
I would expect better controls against wiretapping, reading texts, accessing smartphone location data, etc. but identifying which physical circuit is serving a customer (and, consequently, where that customer lives) would seem to be a pretty basic bread-and-butter operation for AT&T. Not really a place where you could afford to go through a bunch of paperwork or an approval process.
After the fact however, it should be easy. Did the person with the phone call to open a ticket? Were there any tickets? Who accessed the information....
The data's already there to run that sort of analysis. Unless they for some ... very difficult to imagine... reason don't log the actions of their own staff.
(I just started working at Google, and getting at any user data, eg for debugging of a complicated problem, is the single biggest pile of paperwork they make you do. Even anonymized logs.)