FCC Fines AT&T $25m for Data Privacy Lapse

By Karen Painter Randall

The Federal Communications Commission (FCC) reached a $25 million settlement with AT&T for failing to protect the privacy, personal information and social security numbers of its customers.  According to the FCC’s complaint, AT&T employees actively stole this information from an estimated 300,000 people at call centers working in Mexico, Colombia and the Philippines.

In Mexico, the information was gathered between November 2013 and April 2014.  Unlike most large-scale breaches, this was not an aggregate data dump.  Rather, according to the FCC complaint, the information in question was harvested and sold to an individual known only as “El Pelón.”  El Pelón would contact the call center with specific requests and information pulls, and the employee or employees would then provide the information.  It is believed that this data was used to reprogram phones for resale on the global market, as the stolen information was used to submit 290,803 handset unlock requests through AT&T’s website.

According to a statement released by AT&T:  "We are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations."  The company further reported that they have been taking steps to inform affected customers. 

The $25 million civil penalty levied on the No. 2 wireless carrier is the largest data security enforcement action to date.  In October, the FCC imposed a $10 million fine on telecom companies TerraCom and YourTel for consumer privacy breaches.  The recent settlement with AT&T is another example of a regulatory body cracking down on companies who fail to properly protect their customer’s personal identifiable information.