AT&T Agrees to $25 Million Penalty Over Data Breach

Third parties, not identified by the agency, provided employees of AT&T vendors at call centers in Mexico, Colombia and the Philippines lists of cellphone numbers, and paid the employees for personal information like customer names and the last four digits of Social Security numbers, which could then be used to unlock phone numbers, said the official, speaking at a background briefing on the condition of anonymity. The third parties appeared to have been trafficking in stolen cellphones or resold phones that they wanted to unlock, the agency said. Though the call centers were outside the U.S., the official said, affected customers were believed to be in the U.S.

While providing the information to the third parties, the call center employees accessed other types of personal information like the phone numbers called, and the time and duration of the calls, but it was unknown if that information was used by third parties, the official said. AT&T said in an emailed statement, “we have no reason to believe that the information was used for identity theft or financial fraud against our customers. Instead, our investigation suggests that the improperly accessed information was used to get codes that allow phones programmed for the AT&T network to be used on other networks."

The AT&T statement also said protecting consumers’ privacy is “critical to us. … Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are reaching out to affected customers to provide additional information.” A company spokesman also said implicated vendors' employees have been terminated. “We are enhancing our existing security measures and developing new security measures to help prevent these types of situations in the future,” the spokesman said, declining to provide details of the changes.

Neither the company nor the agency named the vendors, and the FCC official didn't say whether the vendors worked with other carriers. Sprint and Verizon didn't comment. T-Mobile hasn't seen similar issues affecting its customers and hasn't been contacted by the FCC, a company spokesman told us.

The agency “cannot -- and will not -- stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” Chairman Tom Wheeler said in a news release, and the enforcement action shows the agency “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” The official said the action was taken under Communications Act Section 222 rules on protecting consumer privacy and under Section 201’s ban on “unjust and unreasonable” practices.

The settlement “demonstrates the continuing encroachment of the FCC into areas once thought to be the exclusive domain of the [Federal Trade Commission],” said Robert Cattanach, a regulatory attorney at Dorsey & Whitney, in a press release: “This is a classic data breach enforcement action that typically would have been prosecuted by the FTC until most recently.” The FTC didn't comment.

The action was praised by Electronic Privacy Information Center President Marc Rotenberg. “Data breaches involving personal information are one of the top concerns of consumers. And telephone companies have a special responsibility to safeguard CPNI [customer proprietary network information] records,” he said in an emailed statement.

The settlement is "yet another pro-consumer enforcement action in the agency’s long history of strong data security, data breach, and privacy protections on communications networks,” Charles Duan, a Public Knowledge staff attorney, said in a statement.

The action comes as the agency deals with protecting CPNI for broadband customers after the net neutrality order (see 1503300037). The official during the press call said only that the agency won't treat broadband companies differently from other telecommunications providers.

Under the consent decree, AT&T will notify all customers whose accounts were improperly accessed and pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines. AT&T had previously offered the service to those affected by the Mexico breach, the agency said. AT&T also agreed to appoint a certified privacy professional as a senior compliance manager as well as to do a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual and train employees on the company’s privacy policies and applicable privacy legal authorities, the agency said. AT&T also will file regular compliance reports with the agency, the agency release said.

The bureau began the investigation in May 2014 after being notified by the company of a data breach in the Mexico call center between November 2013 and April 2014, the official said. Three call center employees accessed more than 68,000 accounts without customer authorization, the official said. Third parties used that information to submit 290,803 handset unlock requests through AT&T’s site, the official said. The number of requests is higher than the number of customers, the official said, because requests to unlock several phones can be sent per customer. During the investigation, AT&T informed the agency that about 40 employees at the Colombian and Philippine call centers had also accessed the information of 211,000 customers, the official said.

Among other recent major privacy actions: Sprint in May 2014 agreed to a $7.5 million settlement after an investigation into the company's not honoring do-not-call or do-not-text requests (see 1405200036). In September 2014, Verizon agreed to a $7.4 million settlement with the FCC over allegations of unlawfully using customer information in marketing (see 1409040059).