(Image Credit: iStockPhoto/BanksPhotos)
The FCC’s Enforcement Bureau has determined that employees at AT&T call centers illegally accessed the personal information of nearly 280,000 customers. Following the investigation, the Federal Communications Commission imposed a $25 million fine on AT&T for unauthorized use and inadequate protection of customer data.
“As the nation’s expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler.
He added, “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
AT&T must notify all affected customers and provide credit monitoring services
The employees involved worked at call centers located in Mexico, Colombia, and the Philippines. Investigators found they had accessed customers’ names, Social Security numbers, and account information without authorization. That data was then used to obtain unlock codes for stolen handsets, which were supplied to an underground network trafficking in illicitly unlocked phones.
“Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” said Travis LeBlanc, Chief of the Enforcement Bureau.
LeBlanc added, “Today’s agreement shows the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent future breaches. We hope that all companies will look to this agreement as guidance.”
Beyond the monetary penalty, AT&T is required to notify every customer affected by the breaches and to provide credit monitoring services for those impacted by the incidents in Colombia and the Philippines. The company must also designate a senior compliance manager to oversee data security and submit regular security reports to the FCC.
The FCC’s inquiry began in May 2014 to investigate a prolonged breach lasting 168 days from November 2013 through April 2014. The probe found that three AT&T employees received payments from a third party in exchange for obtaining sensitive customer information, which facilitated illegal unlocking activity through AT&T’s online unlock portal.
Do you think the FCC’s $25 million fine against AT&T is appropriate? Share your thoughts in the comments.