Social Security numbers part of customer data stolen at 3 AT&T centers tied to mobile device trafficking
AT&T was hit with a $25 million fine tied to the unauthorized disclosure of personal information of nearly 280,000 U.S. customers. The Federal Communications Commission noted the data breaches included full or partial Social Security numbers and access to protected account-related data.
An FCC investigation found the data breaches occurred at AT&T call centers in Mexico, Colombia and the Philippines where employees access customer records without authorization. That information was then provided to third parties that used the information to facilitate unlocking of mobile devices that were part of a trafficking ring targeting stolen mobile phones and secondary-market phones.
The investigation, which began last May, found a 168-day data breach at an AT&T call center in Mexico between November 2013 and April 2014. During that time, it was found that three call center employees were paid by a third party to obtain the customer information used to submit online requests for handset unlock codes. Those employees were found to have accessed more than 68,000 accounts, with the information used by the third party to submit 290,803 handset unlock requests.
The investigation uncovered additional data breaches at call centers in Colombia and the Philippines, in which AT&T admitted that approximately 40 employees had accessed customer names, telephone numbers and at least the last four digits of Social Security numbers for similar unlock code requests. It was found that approximately 211,000 customer accounts were accessed at those two facilities.
The international aspect of the data breach was noted as a potential larger problem for AT&T.
“It calls into question the integrity of call centers outside of the U.S.,” noted Robert Cattanach, partner at law firm Dorsey & Whitney, in a statement laying out the impacts of the data breach. “The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Colombia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack.”
As part of the $25 million civil penalty, which the FCC said was the largest it has levied connected to consumer privacy, AT&T will also be required to notify impacted customers; pay for credit monitoring services connected to the breaches in Colombia and the Philippines; appoint a senior compliance manager “who is a certified privacy professional conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities.” In addition, AT&T will have to file regular compliance reports with the FCC.
“As the nation’s expert agency on communications networks, the commission cannot – and will not – stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler, in a statement. “As today’s action demonstrates, the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
Bored? Why not follow me on Twitter
Photo copyright: / 123RF Stock Photo
