AT&T to Pay $25 Million to Settle Three Consumer Data Breaches at Multiple Contact Centers

The Federal Communications Commission (FCC) has entered a $25 million settlement with AT&T Services to resolve an investigation into consumer privacy violations at AT&T’s call centers in Mexico, Colombia, and the Philippines. The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial social security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI). This is the FCC’s largest privacy and data security enforcement action to date.

According to an investigation by the FCC’s enforcement bureau, the data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.

“As the nation's expert agency on communications networks, the commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC chairman Tom Wheeler in a statement. “As today’s action demonstrates, the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

In May 2014, the enforcement bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. During this period, three call center employees were paid by third parties to obtain customer information---specifically, names and at least the last four digits of customers’ Social Security numbers---that could then be used to submit online requests for cellular handset unlock codes. Three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.

The enforcement bureau also learned during the course of its investigation that AT&T had additional data breaches at other call centers in Colombia and the Philippines. AT&T informed the bureau that approximately 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers, and at least the last four digits of customer social security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed in connection with the data breaches in the Colombian and Philippine facilities.

In addition to the $25 million civil penalty, AT&T will also notify all customers whose accounts were improperly accessed, the FCC said. AT&T will also pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines. Additionally, AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities.

AT&T will file regular compliance reports with the FCC. The failure to reasonably secure customers’ personal information violates a carrier’s duty under Section 222 of the Communications Act, and also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act. The commission has made clear that it expects telecommunications carriers to take “every reasonable precaution” to protect their customers’ data.

“Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” said Travis LeBlanc, chief of the enforcement bureau, in a statement. “Today’s agreement shows the commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches. We hope that all companies will look to this agreement as guidance.”

The commission has adopted rules that require carriers to take reasonable measures to discover, report, and protect against attempts to access CPNI without authorization. With this action, the commission has taken five major enforcement actions valued at over $50 million in the last year to protect consumer privacy and data security.

In May 2014, the commission announced a $2.9 million planned fine against Dialing Services, LLC, for violating commission rules that seek to protect consumers from harassing, intrusive, and unwanted robo calls to mobile devices. Also in May 2014, Sprint entered into a $7.5 million settlement to resolve an investigation into Sprint’s failure to honor consumers’ do-not call or do-not-text requests.

In September 2014, the commission reached a $7.4 million settlement with Verizon to address the company’s unlawful marketing to two million customers without their consent or notification of their privacy rights. In October 2014, the commission announced a $10 million planned fine against TerraCom, Inc., and YourTel America, Inc., for failing to provide reasonable protection for customers’ personal information.