AT&T Slapped With ‘Largest Ever’ US Data Breach Fine

AT&T NDR equipment

US regulator sanctions AT&T over breaches at three overseas call centres that exposed valuable customer data

AT&T has been issued with a $25 million (£16.9m) fine by the US Federal Communications Commission over a consumer data breach at call centres in Mexico, Colombia and the Philippines.

According to the FCC, the data breaches involved the unauthorised disclosure of names and full or partial Social Security numbers of 280,000 US customers. The breach also involved the unauthorised access to protected account information.

The FCC said that this is its “largest privacy and data enforcement action to date.”

Data Breach

AT&T logoThe investigation by the FCC’s Enforcement Bureau, revealed that these data breaches occurred between November 2013 and April 2014. Staff at call centres used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorisation.

There seems to have been a criminal issue here, as three call centre staff members also accessed other personal information that was used to request handset unlock codes for AT&T mobile phones. The staff then provided this information to “third parties, who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.”

“As the nation’s expert agency on communications networks, the Commission cannot – and will not – stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” thundered FCC Chairman Tom Wheeler.

“As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers,” said Wheeler.

“Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” said Travis LeBlanc, Chief of the Enforcement Bureau. “We hope that all companies will look to this agreement as guidance.”

“We are terminating vendor sites as appropriate,” AT&T was quoted by Reuters as saying in response. “We’ve changed our policies and strengthened our operations.”

But this is not the first time AT&T has struggled with security woes and data breaches.Back in June 2010, a group of hackers exploited a security hole on AT&T’s website. As a result, the group was able to get its hands on the email addresses of 114,000 owners of Apple iPads.

Last year, Andrew ‘Weev’ Auernheimer, who was imprisoned in 2013 over that breach, was set free, although not because he was found innocent of the crimes for which he was convicted.

Are you a security pro? Try our quiz!