USD25mn Payout for AT&T Data Breach

AT&T has reached a USD25mn settlement with the US comms regulator, the Federal Communications Commission (FCC), over the breach of customer data at call centers in Mexico, Colombia and the Philippines. Per the FCC, the data breaches involved…

…almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI). This is the FCC’s largest privacy and data security enforcement action to date.

According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.

The statement goes on to state:

In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. During this period, three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.

The Enforcement Bureau also learned during the course of its investigation that AT&T had additional data breaches at other call centers in Colombia and the Philippines. AT&T informed the Bureau that approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed in connection with the data breaches in the Colombian and Philippine facilities.

In addition to paying the USD25mn civil penalty, AT&T will have to…

…notify all customers whose accounts were improperly accessed. AT&T will pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines. Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.

The USD25mn settlement is the largest data security penalty in FCC history. This is the fifth time the FCC has taken major privacy and data security enforcement action since May 2014. The total payout in response is over USD50mn.

National regulators were getting a bad name for being too lax at uncovering and punishing data breaches by telcos. With this action, it is clear that some regulators can no longer go easy on telcos who are proven to have inadequate controls over customer data. They will crack down on telcos to address a growing public perception that big businesses are indifferent to the consequences of personal data abuses.

Telcos can no longer rely on a vague hope that nobody will notice their data protection failings. They must tighten procedures now, or suffer increasing punishment.

You can read the full FCC statement here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.