Feds Hit AT&T with $25 Million Fine for Stolen Customer Data
The Federal Communications Commission (FCC) has walloped AT&T with a $25 million fine for a series of data breaches that exposed the private information of nearly 280,000 U.S. customers. AT&T will also appoint a new senior compliance manager who is an expert in privacy matters, develop a new compliance manual for privacy and data security and provide regular privacy training to employees, according to an agreement announced Wednesday by the FCC.
The FCC's Enforcement Bureau launched its investigation in May after learning of a breach of customer data that took place at an AT&T call center in Mexico. It later expanded the scope of its investigation upon learning of similar breaches at AT&T call centers in Colombia and the Philippines.
Those breaches involved call center employees receiving payments to provide third parties with customer information that included names, telephone numbers and the last four digits of customers' Social Security numbers. That data was then used to unlock mobile phones that AT&T customers had reported stolen.
Approximately 211,000 customers were affected by data breaches at AT&T's call centers in Colombia and the Philippines. Another 68,000 accounts were breached by three call center employees in Mexico, who allegedly passed along customer data to third parties who submitted 290,803 unlock requests through AT&T's online customer portal.
Five Firms Fined Since 2014
"As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," said FCC Chairman Tom Wheeler.
Travis LeBlanc, Chief of the FCC's Enforcement Bureau, added that the agreement underscores the agency's commitment to privacy by "ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches."
Phone companies that fail to "reasonably" secure customers' personal information are in violation of the U.S. Communications Act, according to the FCC. Over the past year, the agency has taken five major enforcement actions related to consumer privacy and data security. They included a $10 million fine against TerraCom Inc. and YourTel America Inc. for failing to protect personal customer information, a $7.5 million settlement with Sprint over do-not-call and do-not-text violations, a $7.4 million settlement with Verizon over unlawful marketing and a $2.9 million fine against Dialing Services LLC over unwanted robocalls to cellphones.
Largest Privacy, Security Action to Date
Following the settlement announcement, AT&T released a statement that said, "Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."
Under one of the terms of its settlement with the FCC, AT&T has agreed to pay for credit monitoring services for the customers affected by the data breaches at its call centers in Colombia and the Philippines. The AT&T settlement is its largest action to date on privacy and data security enforcement, according to the FCC. Enforcement Bureau Chief LeBlanc said he hoped that "all companies will look to this agreement as guidance."