AT&T has agreed to pay the FCC $25 million for consumer privacy violations incurred at its call centers in Mexico, Colombia and the Philippines, a settlement the FCC says is its largest privacy and data security enforcement action to date.
The FCC's Enforcement Bureau alleges that employees at AT&T's call centers in the three countries disclosed almost 280,000 customers' names and full or partial Social Security numbers without authorization, as well as used unauthorized access to protected account-related data called customer proprietary network information (CPNI).
Three call center employees in Mexico illegally accessed this customer data and then sold it to unauthorized third parties who were trafficking in stolen cellphones and used the information to get unlock codes from the carrier. The FCC also uncovered the same issue in Colombia and the Philipines where 40 employees sold the data from 21,000 customer accounts.
The breaches occurred between November 2013 and April 2014, during which time third parties managed to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal. The FCC says it launched its investigation in May 2014.
In a statement on the settlement, FCC Chairman Tom Wheeler criticized AT&T for its "lax data security practice" that exposed "the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud."
AT&T said in a statement to Fierce Wireless that it would notify all affected customers of the breach. And, the FCC is requiring it to strengthen its security practices and hire a senior compliance manager who is a certified privacy professional to implement security protocols, train employees and ensure compliance.
While the data breach was the fault of AT&T vendors and nefarious employees, the onus is on AT&T to pay the fine and take responsibility for the privacy violations. Breaches like this are dangerous for consumers and harmful -- not to mention expensive -- to brands, highlighting how important it is for carriers to have a comprehensive security strategy in place for their networks, customer data and internal operations. (See AT&T's Amoroso: To Battle New Threats, Mobilize Your People and Security Suffers From 'Not My Job' Mentality .)
— Sarah Thomas, , Editorial Operations Director, Light Reading