The Federal Communications Commission (FCC), an independent government agency which regulates interstate communications in the United States, recently fined AT&T $25 million for a privacy leak regarding personal information and Social Security numbers of nearly 280,000 customers over a period of three years. It is the largest fine which has ever been issued for data and privacy violations in the history of the U.S.
AT&T is the second-largest cellphone provider in the U.S., as well as the 20th-largest in the world. It has around 120 million customers worldwide. The privacy breach came in the form of leaks carried out by employees at AT&T call centers, first in Mexico and then in the Philippines and Colombia. The employees accessed the account information, usually the names and full or partial Social Security numbers of customers, and sold them to traffickers of stolen cellphones. In Mexico, many of the numbers were specifically sold to an organization which calls itself El Pelón, meaning “hairless man” in Spanish. El Pelón supplied the employees with a list of accounts whose information they wanted.
The security breach was first discovered in Mexico when El Pelón, among other cell phone traffickers, submitted over 290,000 requests to unlock cellphones to AT&T during a six-month period after November 2013. During that period, the organization paid at least two employees to retrieve information from call centers for over 68,000 customer accounts. When the breach was discovered in September 2014, AT&T ended its contract with the Mexican call center and reported it to the California attorney general.
More security breaches, however, have recently been discovered in Colombia and the Philippines in 2015, with over 210,000 customer accounts tampered with or accessed by call centers in the countries. AT&T has stated that it has dismissed the 40 employees involved with the leaks, but the company still has ties to the centers.
There do not appear to be any other uses for the information taken via call center employees besides unlocking cell phones. Nevertheless, AT&T, as part of its settlement with the FCC, will be forced to provide its customers with credit-monitoring services, as well as an overseer to create better safeguards for AT&T customer data.
The need for unlock codes stemmed from a policy change for AT&T that set more stringent rules for unlocking cell phones, requiring users to enter personal information, including digits of their Social Security number, to unlock their phones.
This greatly affected the market for used smartphones, as it became more and more difficult for third-party sellers to unlock stolen cell phones to be sold on the black market. The data breaches for unlock code information went undetected for months, and they were finally discovered when the FCC began its probe into AT&T in mid-2014.
“As the nation’s expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC Chairman Tom Wheeler said in a statement. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
AT&T also released a statement, saying, “We are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations.”
Please note All comments are eligible for publication in The News-Letter.