Feds wallop AT&T with $25M fine over stolen customer data

AT&T settles with FCC over customer data that was stolen from data centers overseas and used to unlock stolen mobile phones.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
3 min read


AT&T has reached a $25 million settlement with the Federal Communications Commission over stolen customer data from three international call centers.

The data breaches took place at contracted call centers in Mexico, Colombia and the Philippines, and involved the unauthorized disclosure of almost 280,000 U.S. customers' names, full or partial Social Security numbers and unauthorized access to protected account-related data. The FCC said the information obtained from these breaches was used to unlock codes for stolen phones. Workers at these call centers also sold this information to third parties.

This is the largest privacy and data security enforcement action the FCC has ever taken and comes as consumers increasingly worry about the safety of their private information. Last October, the FCC fined carrier TerraCom and its affiliate YourTel America $10 million for failing to protect customers' personal information. The FCC says the latest enforcement action shows it's serious about holding companies accountable for protecting consumers information.

"As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC Chairman Tom Wheeler said in a statement.

AT&T said it's since changed its policies and strengthened its operations. "Protecting customer privacy is critical to us," said a company spokesman. "We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate."

The breach in Mexico lasted 168 days, from November 2013 to April 2014. The FCC began investigating the breach in May 2014. The investigation revealed that three call center employees were paid by third parties to obtain customer information -- specifically, names and at least the last four digits of customers' Social Security numbers -- that could then be used to submit online requests for cellular handset unlock codes. The FCC said these employees accessed 68,000 accounts without customer authorization. The information was then used to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal, the agency said.

While investigating the Mexico call center, the FCC also became aware of breaches at call centers in Colombia and the Philippines. AT&T informed the FCC that approximately 40 employees at the Colombian and Philippine facilities had accessed customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to unlock mobile phones.

IAbout 211,000 customer accounts were accessed in these breaches, the FCC said.

As part of its settlement, AT&T will pay a $25 million civil payment. It will also be required to notify all customers whose accounts were improperly accessed, as well as pay for credit monitoring services for all affected customers. AT&T has also agreed to hire a compliance manager who will conduct a privacy risk assessment. The new compliance manager will also implement an information security program, prepare an appropriate compliance manual, and regularly train employees on the company's privacy policies.