AT&T has settled with the US Federal Communications Commission for $25 million to resolve an investigation into consumer privacy violations at the telco’s call centres.
According to the FCC statement, the data breaches involved the unauthorised disclosure of almost 280,000 US customers’ names, full or partial Social Security numbers and unauthorised access to protected account-related data by employees at call centres used by AT&T in Mexico, Colombia and the Philippines.
These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorised third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.
“Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” said Travis LeBlanc, chief of the Enforcement Bureau. “Today’s agreement shows the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches. We hope that all companies will look to this agreement as guidance.”
Between November 2013 and April 2014, three call centre employees were paid by third parties to obtain customer information that could then be used to submit online requests for cellular handset unlock codes. More than 68,000 accounts without customer authorisation, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.
AT&T informed the Bureau that approximately 40 employees at the Colombian and Philippine facilities had also accessed approximately 211,000 customer accounts.
As a condition of settlement, AT&T will pay a $25 million civil penalty. The company will also notify all customers whose accounts were improperly accessed and will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional who will conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual and regularly train employees on the company’s privacy policies and the applicable privacy legal authorities.