Mobile security

AT&T Fined $25M for Privacy Violations

AT&T has agreed to pay the FCC $25 million for consumer privacy violations incurred at its call centers in Mexico, Colombia and the Philippines, a settlement the FCC says is its largest privacy and data security enforcement action to date.

The FCC's Enforcement Bureau alleges that employees at AT&T's call centers in the three countries disclosed almost 280,000 customers' names and full or partial Social Security numbers without authorization, as well as used unauthorized access to protected account-related data called customer proprietary network information (CPNI).

Three call center employees in Mexico illegally accessed this customer data and then sold it to unauthorized third parties who were trafficking in stolen cellphones and used the information to get unlock codes from the carrier. The FCC also uncovered the same issue in Colombia and the Philipines where 40 employees sold the data from 21,000 customer accounts.

The breaches occurred between November 2013 and April 2014, during which time third parties managed to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal. The FCC says it launched its investigation in May 2014.

For more on mobile topics, peruse the dedicated mobile content page here on Light Reading.

In a statement on the settlement, FCC Chairman Tom Wheeler criticized AT&T for its "lax data security practice" that exposed "the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud."

AT&T said in a statement to Fierce Wireless that it would notify all affected customers of the breach. And, the FCC is requiring it to strengthen its security practices and hire a senior compliance manager who is a certified privacy professional to implement security protocols, train employees and ensure compliance.

While the data breach was the fault of AT&T vendors and nefarious employees, the onus is on AT&T to pay the fine and take responsibility for the privacy violations. Breaches like this are dangerous for consumers and harmful -- not to mention expensive -- to brands, highlighting how important it is for carriers to have a comprehensive security strategy in place for their networks, customer data and internal operations. (See AT&T's Amoroso: To Battle New Threats, Mobilize Your People and Security Suffers From 'Not My Job' Mentality .)

— Sarah Thomas, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, Editorial Operations Director, Light Reading

Phil_Britt 4/17/2015 | 12:18:33 PM
Re: AT&T logic AT&T certainly should have been slapped harder by FCC, but privacy in today's day and age is a fairy tale. Much of business needs to be done on the grid and one might actually like Amazon to offer suggested purchases. But people need to realize that any information they divulge will likely be "shared" over and over and over again.
nasimson 4/16/2015 | 11:20:13 AM
AT&T logic This is how AT&T logic would go: So now outsourcing costs 25 million dollars more. Hmm. Still outsourcing remains more cost effective than insourcing. So lets run business as usual.
mendyk 4/9/2015 | 10:54:19 AM
Re: Effectiveness Traffic Court seems like a good role for the FCC. A token fine, a stern warning, and you're back on the road doing what you've always done.
sarahthomas1011 4/9/2015 | 10:43:03 AM
Re: Effectiveness True, there are always bad seeds or even good employees gone bad. I've seen Office Space. Still, it's the FCC's biggest slap on the wrist to date... 
mendyk 4/9/2015 | 9:21:14 AM
Re: Effectiveness As Mitch points out, this is a gentle slap on the wrist. It's the equivalent of a parking ticket. This kind of thing probably would happen even if AT&T wasn't outsourcing these operations to offshore third parties rather than run its own call centers.
sarahthomas1011 4/8/2015 | 6:32:38 PM
Re: Effectiveness I think it will at least force them to more carefully consider their potential employees. This was the result of a few bad employees, but also perhaps a system that makes it too easy to share private customer data wtihout oversight. The FCC is requiring them to fix their operational processes here, and I hope they do it.
Mitch Wagner 4/8/2015 | 6:21:57 PM
Effectiveness Whenever I read about fines like this, a cynical part of me wonders if a company like AT&T is simply going to shrug off $25 million as the cost of doing business and make no changes to its policies. 
Sign In