US-based telecom company AT&T has reached a $25 million settlement with the Federal Communications Commission concerning its call center employees passing out personal data of about 280,000 US customers.
The breaches happened in the company’s contracted call centers in Mexico, Colombia and the Philippines. The employees involved released information including customers' names, full or partial Social Security numbers of almost 280,000 users. The FCC noted that unauthorized access to the users smartphones have incurred and information obtained from the breaches was used to unlock the codes for stolen phones. The employees also allegedly stole and sold these information to third parties.
This is the largest privacy and data security enforcement action the FCC has ever taken. The watchdog fined carrier TerraCom and its affiliate YourTel America $10 million last October for failing to protect customers' personal information. FCC Chairman Tom Wheeler said in a statement: "As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud."
AT&T meanwhile noted in a statement that it has changed its policies and strengthened its operations. "Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate," the statement noted.
The data breach in Mexico happened over the course of 168 days from November 2013 to April 2014 and the investigation itself was started in May 2014. Three call center employees were paid by third parties to obtain customer information. The FCC investigation revealed that these employees accessed 68,000 accounts without customer authorization. The information was then used to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal.
Even while investigating the Mexico call center, breaches of same stature were tracked at call centers in Colombia and the Philippines. About 40 employees at the Colombian and Philippine facilities had accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to unlock mobile phones.
Besides the $25 million civil payment, AT&T will also be required to notify all customers whose accounts were improperly accessed, as well as pay for credit monitoring services for all affected customers. AT&T has also agreed to hire a compliance manager to put more regulatory measures in place at the company.
Reference:http://www.theverge.com/2015/4/8/8370515/att-fcc-settlement-data-thefts-25-million-fine
The breaches happened in the company’s contracted call centers in Mexico, Colombia and the Philippines. The employees involved released information including customers' names, full or partial Social Security numbers of almost 280,000 users. The FCC noted that unauthorized access to the users smartphones have incurred and information obtained from the breaches was used to unlock the codes for stolen phones. The employees also allegedly stole and sold these information to third parties.
This is the largest privacy and data security enforcement action the FCC has ever taken. The watchdog fined carrier TerraCom and its affiliate YourTel America $10 million last October for failing to protect customers' personal information. FCC Chairman Tom Wheeler said in a statement: "As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud."
AT&T meanwhile noted in a statement that it has changed its policies and strengthened its operations. "Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate," the statement noted.
The data breach in Mexico happened over the course of 168 days from November 2013 to April 2014 and the investigation itself was started in May 2014. Three call center employees were paid by third parties to obtain customer information. The FCC investigation revealed that these employees accessed 68,000 accounts without customer authorization. The information was then used to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal.
Even while investigating the Mexico call center, breaches of same stature were tracked at call centers in Colombia and the Philippines. About 40 employees at the Colombian and Philippine facilities had accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to unlock mobile phones.
Besides the $25 million civil payment, AT&T will also be required to notify all customers whose accounts were improperly accessed, as well as pay for credit monitoring services for all affected customers. AT&T has also agreed to hire a compliance manager to put more regulatory measures in place at the company.
Reference:http://www.theverge.com/2015/4/8/8370515/att-fcc-settlement-data-thefts-25-million-fine