AT&T fined $25M for customer data breaches used to obtain codes to unlock phones

AT&T Mobility (NYSE: T) agreed to pay a $25 million fine to settle an FCC investigation into privacy breaches of customers' personal information at call centers in Mexico, Columbia and the Philippines. Employees at those call centers accessed customer information without authorization and then sold the information to third parties, which then used the customer data to request codes from AT&T to unlock phones, according to the FCC.

The FCC believes that the third parties were involved in illicit trafficking of unlocked phones, though it is unclear how many phones were unlocked or what else the third parties did with the customer information.

The data breaches, which were first reported last year, involved the unauthorized disclosure of almost 280,000 U.S. customers' names, full or partial Social Security numbers as well as unauthorized access to protected account-related data, known as customer proprietary network information (CPNI). The FCC said the AT&T settlement is its largest privacy and data security enforcement action to date.

"As the nation's expert agency on communications networks, the Commission cannot--and will not--stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC Chairman Tom Wheeler said in a statement. "As today's action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."

According to a senior FCC official, in May 2014 the Enforcement Bureau launched an investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. In June 2014 AT&T first confirmed that three employees of one of its vendors, which it did not name, accessed an unknown number of customers' personal information, including Social Security numbers and call records in April of that year.

The FCC said three employees at the call center in Mexico were paid by third parties to obtain customer information--specifically, names and at least the last four digits of customers' Social Security numbers--that could then be used to submit online requests for the unlock codes. A senior FCC official said on a call with reporters that it's unclear how much money changed hands between the employees and the third parties, one of which went by the alias "El Pelon" in Mexico. That group might have been a "bundler" for reselling stolen unlocked phones in the U.S. or abroad, according to the FCC.

The three call center employees in Mexico accessed more than 68,000 accounts without authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal. AT&T has terminated its contract with the call center in Mexico.

While it was investigating that breach, the FCC's Enforcement Bureau also learned that AT&T had additional data breaches at other call centers in Colombia and the Philippines. AT&T said around 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. The employees accessed around 211,000 customer accounts in connection with the data breaches at the facilities in Colombia and the Philippines.

In addition to paying the $25 million civil penalty, AT&T agreed to notify all customers whose accounts were improperly accessed. AT&T will pay for credit monitoring services for all customers affected by the breaches in Colombia and the Philippines.

Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company's privacy policies and the applicable privacy legal authorities. AT&T will also file regular compliance reports with the FCC.

"Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard," AT&T said in a statement. "Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."

It's unclear if the vendors AT&T worked with in Mexico, Columbia and the Philippines also work or worked with other wireless carriers. The FCC referred questions on the matter to AT&T, and an AT&T spokeswoman declined to comment. It's also unclear how many cell phones were unlocked as a result of the scheme or if any other harms resulted from the privacy breaches. AT&T declined to comment.

For more:
- see this release
- see this consent decree

Related Articles:
Sprint, T-Mobile not meeting all cell phone unlocking policy commitments, advocate say
Verizon, AT&T, Sprint, T-Mobile and others now fully embrace cell phone unlocking rules
AT&T confirms data breach as hackers hunted for codes to unlock phones
Verizon, AT&T, Sprint and T-Mobile say customers are protected from Heartbleed bug
Verizon, AT&T, Sprint, T-Mobile and U.S. Cellular agree to new cell phone unlocking rules