Earlier this month, the FCC announced that AT&T Services has agreed to pay a $25 million civil penalty to resolve investigations into consumer privacy violations at AT&T call centers. In the incident, AT&T call center employees in Mexico, Columbia, and the Philippines accessed and disclosed customer records without authorization. These records revealed customer names and full or partial Social Security numbers for almost 280,000 US customers of AT&T. The records also revealed protected account-related data known as “customer proprietary network information” (CPNI). The employees whole stole the information provided it to unauthorized third parties who apparently wanted this information so they could unlock stolen cell phones.
The FCC began its investigation with a breach in the AT&T Mexico call center. In this breach, 3 call center employees accessed records of more than 68,000 accounts over a 168-day period from November 2013 to April 2014. Third parties then used the stolen data to submit over 290,000 handset unlock requests through the AT&T portal, which provides for (legitimate) customer unlock requests.
While the investigation was in progress, AT&T reported to the FCC that approximately 40 employees at AT&T call centers in the Philippines and Colombia accessed customer names, telephone numbers, and at least the last 4 digits of the customer Social Security numbers of 211,000 customers. As with the breach in Mexico, this information was also used to obtain unlock codes for AT&T mobile phones.
AT&T will notify all customers whose accounts were breached and will pay for credit monitoring for all consumers affected by the breaches. In addition, the settlement calls for AT&T to improve its privacy and security practices by appointing a senior compliance manager, conducting a privacy risk assessment, implementing an information security program, and providing regular training to its customers on privacy policies and regulations. [Editorial note: AT&T did not have an information security policy or program as recently as this month? Seriously?]
Whether $25 million, the cost of credit monitoring, and other costs imposed by the FCC action will matter to AT&T is up for debate. After all, AT&T’s 2013 revenues were $128 billion. However, we can hope that this is a sign that the FCC is beginning to move aggressively on data breach cases and that will do a better job of protecting our data moving forward.
The AT&T Order and Consent Decree is published at the FCC site.