09 April 2015

ATT Data Breach

The US Federal Communications Commission has imposed a US$25 million penalty as part of a settlement with AT&T over the telco's failure to protect customer personal information, including Social Security numbers.

Employees at call centers in Mexico, Colombia and the Philippines used by AT&T were found to have stolen the names and full or partial Social Security numbers of about 300,000 customers, with the information being sold to third parties.

Customer service staff in Mexico provided data corresponding to specific phone numbers  supplied by a man with the alias El Pel√≥n. The data accessed without authorization was used to submit 290,803 mobile phone handset unlock requests through the telco's website.

The FCC first learned of the privacy violations after ATT reported the activity in Mexico to California's attorney general last year. Breaches in the Philippines and Colombia were reported to the FCC this year. Approximately 211,000 customer accounts were accessed in connection with data breaches in the Colombian and Philippine facilities.

The FCC has not indicated whether other telcos carriers used the same call centres.

AT&T has announced that
Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers.
The FCC states
The commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands. Customers trust that their phone company will zealously guard access to sensitive personal information in customer records. We hope that all companies will look to this agreement as guidance.
 The FCC notes that
The company will also notify all customers whose accounts were improperly accessed. AT&T will pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines.Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC. 
The failure to reasonably secure customers’ personal information violates a carrier’s duty under Section 222 of the Communications Act, and also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act. The Commission has made clear that it expects telecommunications carriers to take “every reasonable precaution” to protect their customers’ data. The Commission has also adopted rules that require carriers to take reasonable measures to discover, report, and protect against attempts to access CPNI without authorization. 
With this action, the Commission has taken five major enforcement actions valued at over $50 million in the last year to protect consumer privacy and data security. In May 2014, the Commission announced a $2.9 million planned fine against Dialing Services, LLC, for violating Commission rules that seek to protect consumers from harassing, intrusive, and unwanted robocalls to mobile devices. Also in May 2014, Sprint Corporation entered into a $7.5 million settlement to resolve an investigation into Sprint’s failure to honor consumers’ do-not call or do-not-text requests. In September 2014, the Commission reached a $7.4 million settlement with Verizon to address the company’s unlawful marketing to two million customers without their consent or notification of their privacy rights. In October 2014, the Commission announced a $10 million planned fine against TerraCom, Inc., and YourTel America, Inc., for failing to provide reasonable protection for customers’ personal information.