AT&T Gets a $25,000,000 Fine after Contractor Data Theft
The Federal Communications Commission has brought AT&T to a $25,000,000 settlement over its mismanagement of customer data between the end of 2013 and the end of 2014. Rather than face litigation, AT&T has agreed to the FCC’s largest-ever settlement in relation to data and privacy loss or theft. (Another fairly large settlement happened less than a year ago, regarding Sprint’s violation of the Do-Not-Call Implementation Act of 2003, which cost them $7,500,000.)
Foreign Contractors Sold Customer Information
The largest settlement in history did not go unchallenged for a reason: the charges against AT&T are most egregious, with the FCC saying that between November 2013 and April 2014 at a call center in Mexico, a (contracted) customer service representative was bribed to steal AT&T customer social security numbers and then use them to get stolen phones unlocked on the network.
A similar scheme, the agency says, took place in Colombia between February and July 2014, as well as May to December in the Philippines. In each case, a single employee was all it took. The majority of the victimized customers were Spanish-speaking, which is the reason they were routed to these offshore call centers in the first place.
The agency feels that gross negligence was practiced by AT&T in the form of “lax data security policies,” according to FCC Chairman Tom Wheeler, who made a statement in the official press release:
As the nation’s expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud. As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.
Also read: Net Neutrality Astroturf
FCC Hasn’t Always Been This Proactive
Some may remember that when AT&T was found in 2006 to have colluded with the legally dubious NSA wiretapping scheme, in which all customer calls were routed through government servers to be eavesdropped upon, the Commission scandalously chose not to investigate the matter. Constitutionally, this might have been a safe move, since, unlike a police organization such as the DEA, their job is to enforce regulations that they themselves must charter, whereas DEA enforces laws made by legislators.
Nevertheless, Massachusetts Representative Edward Markey said of the decision,
“The FCC, which oversees the protection of consumer privacy under the Communications Act of 1934, has taken a pass at investigating what is estimated to be the nation’s largest violation of consumer privacy ever to occur. If the oversight body that monitors our nation’s communications is stepping aside then Congress must step in.”
Nearly 300,000 Stolen Phones Unlocked
That the agency knows of, a total of 290,803 stolen cell phones were successfully unlocked using compromised data that the crooked employees obtained. If one assumes the median black market price of the phones was in the neighborhood of $80, the scheme could have taken in as much as $23 million. Like as not, the employees were paid a tiny fraction of this amount for their part in it.
This figure is not including any other proceeds that could be gained from the use of the user data, such as credit card fraud, bank accounts, et cetera. To this end, AT&T has already paid for credit monitoring services for customers affected by the Mexico breach, and will do the same for customers in affected by those in Colombia and the Philippines.
Images from Shutterstock.