AT&T To Pay $25 Million Penalty For Data Breaches At Offshore Call Centers
Friday, May 08, 2015
In April, the U.S. Federal Communications Commission (FCC) announced that AT&T Services, the telephone giant, will pay $25 million to settle consumer privacy violations at the company's call centers in Mexico, Colombia, and the Philippines. The FCC announcement described how the insider breach happened:
"The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI)... According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones..."
The data breach in the Mexico call center lasted 168 days and began between November 2013 and April 2014. The FCC Enforcement Bureau began its investigation in May 2014:
"... three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal."
"... approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed..."
The FCC announcement stated that AT&T's failure to reasonably secure customers’ personal information violated a carrier’s duty under Section 222 of the Communications Act. The breach also constituted an unjust and unreasonable practice in violation of Section 201 of the Act. Terms of the settlement agreement require AT&T to:
- Pay a $25 million civil penalty,
- Notify all customers whose accounts were accessed,
- Provide credit monitoring services to all consumers affected,
- Improve its privacy and data security practices: appoint a senior compliance manager, implement an information security program
- Conduct a privacy risk assessment,
- Prepare an appropriate compliance manual, and
- Regularly train employees on the company’s privacy policies and the applicable privacy legal
AT&T is also required to provide regular compliance reports to the FCC. FCC Chairman Tom Wheeler said about the breach:
“As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud... the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
According to its website, AT&T has more than 120 million wireless customers, 12.2 million U-verse high-speed Internet customers, and 3.5 million business customers. Total company revenues were $128.8 billion in 2013. Total workforces in 2014 was 243,620 employees. Download the AT&T Consent Decree with the FCC (Adobe PDF).
The breach announcement and settlement highlight the extent to which consumers' sensitive personal information is transmitted around the world, and the vulnerability of that information at offshore facilities. When companies move jobs to other countries, that often requires the transmission of consumer information to facilities in those countries.
Also, the breach emphasizes the fact that criminals have done their homework. They have identified both the corporations that are high-value targets with large amounts of consumer information, and the offshore locations. I applaud the FCC's actions and expect to hear more.
[Editor's note: in the interest of full disclosure, I am an AT&T mobile customer. I also received a breach notice from the company. I will share more about that in an upcoming blog post.]
I wonder whether FCC Chairman Tom Wheeler has traveled the road to Damascus and been converted to a true and faithful public servant. I am amazed by Chairman Wheeler's recent acts, his protection of net neutrality, his overturning Comcast's attempted merger with Time Warner Cable, and now enforcing the Communications Act against AT&T. Certainly, his former employers and colleagues in the Internet and Cable TV industries must be thinking that they don't know Wheeler, are wonder whether they ever knew him, and are certainly regretting that they ever offered him to the White House and Congress as Chairman of the FCC and as the third Democratic vote on the five member FCC Commission.
Yet, consumers, who are the ordinary Americans, and American businesses, other than large ISPs and the Cable TV industry, can rejoice in Chairman Wheeler faithful performance of his job as Chairman of the FCC according to law and the FCC's mandate. And Chairman Wheeler, regardless of what happens when his tenure at the FCC ends, has created a legacy that he can proud of, and one that he has probably paid dearly for in the lucrative jobs that now won't be offered to him when he leaves the FCC. But Wheeler is already rich, and what he has done for us and his legacy is far more valuable than a few dollars more.
Posted by: Chanson de Roland | Saturday, May 09, 2015 at 11:40 AM