FCC Hits AT&T with Record $25 Million Fine for Customer Data Breaches
The Federal Communications Commission (FCC) has entered a $25 million settlement with AT&T Services, Inc. to resolve an investigation into consumer privacy violations at AT&T's call centers in Mexico, Colombia, and the Philippines.
The FCC says that the data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers' names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI).
This is the FCC's largest privacy and data security enforcement action to date.
According to an investigation by the FCC's Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. The investigation found that these employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.
"As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," said FCC Chairman Tom Wheeler. "As today's action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."
In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. During this period, three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers' Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal.
Through its investigation the Enforcement Bureau also learned that AT&T has additional data breaches at other call centers in Colombia and the Philippines. AT&T informed the Bureau that approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed in connection with the data breaches in the Colombian and Philippine facilities.
As a condition of the settlement, AT&T will pay a $25 million civil penalty. The company will also notify all customers whose accounts were improperly accessed, and pay for credit monitoring services for all consumers affected by the breaches.
Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company's privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.
Including today's announced settlement with AT&T, the FCC has taken a total of five major enforcement actions valued at over $50 million in the last year to protect consumer privacy and data security.
The AT&T Order and Consent Decree are available at:https://docs.fcc.gov/public/attachments/DA-15-399A1.pdf