AT&T fined $25 million by FCC over customer data breaches to obtain phone unlock codes
For nearly six months, between November 2013 and April 2014, off-shore call centers for AT&T accessed customer information, including social security numbers and other account data, and then sold the information to third-parties. The breaches were being made without authorization, and occurred at call centers in Mexico, Colombia, and the Philippines. In all, more than 280,000 US-based customers’ records were accessed.
It was not reported if the companies that operate these call centers serve any other US carriers. In this particular case, according to AT&T, three employees in Mexico, and another 40 at the centers in Colombia and Philippines accessed, at a minimum, names, telephone numbers, and at least the last four digits of the social security number on the account.
That data was sold to parties that would use that information to get the unlock codes for AT&T mobile phones. The FCC’s enforcement bureau initially began investigating the data breaches in Mexico, and later discovered the other problem areas during the investigation. Since it was AT&T’s responsibility to maintain Customer Proprietary Network Information (CPNI), the FCC placed the burden on the carrier as the investigation progressed.
The center in Mexico accessed about 68,000 records, from which, they determined more than 290,000 handset unlock codes were requested. In addition to paying the fine, AT&T will be notifying affected customers directly and will pay for credit monitoring services for those customers. The carrier has since canceled the contract with the Mexican center, and is taking “appropriate” action with the other vendors in Colombia and the Philippines.