AT&T fined $25m over string of data breaches

The US telecoms watchdog has fined AT&T $25m for failing to prevent a string of data breaches affecting 280,000 of its customers, whose confidential data were used to facilitate the trafficking of stolen mobile phones.

Workers at AT&T call centres in Mexico, Columbia and the Philippines, accessed the private information of the US-based customers, including their social security numbers, and passed it on to third parties. Investigators believe it was then used to unlock stolen mobile phones so they could be resold.

Two call-centre workers in Mexico admitted to selling the information to a person known as "El Pelon", Spanish slang that roughly translates as "bald guy". Hundreds of thousands of requests for handset unlock codes were subsequently submitted to AT&T's online portal.

AT&T, the second-largest US wireless group with over 100m subscribers, agreed to pay a civil penalty of $25m to settle the matter, the largest fine ever handed out for a privacy breach by the Federal Communications Commission.

The company also agreed to improve its security procedures by hiring a new senior compliance manager and to inform all affected customers.

"The Commission cannot - and will not - stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," said FCC chairman Tom Wheeler.

"The commission will exercise its full authority against companies that fail to safeguard the personal information of their customers," he added.

<

The tabular content relating to this article is not available to view. Apologies in advance for the inconvenience caused.

The call-centre was run by another company on behalf of AT&T to provide Spanish language support to its customers in the US, although AT&T was responsible for maintaining and securing the computer systems. It has since terminated its contract with the call-centre.

AT&T first became suspicious in December 2012 and a handful of staff were either fired or resigned. However it did not report the data breaches to the US Secret Service or the Federal Bureau of Investigation, because it concluded that there had not been a breach of "customer proprietary network information".

Following another data breach in April 2014, AT&T commenced an internal investigation and interviewed several employees. One was described as having an "evasive attitude" and was dismissed following a lie-detector test. It was at this point the US carrier informed the relevant authorities, which began an investigation soon after.

Last month AT&T told the authorities it was investigating a series of similar data breaches at call centres in Columbia and the Philippines.

"We've changed our policies and strengthened our operations," AT&T said in a statement. "While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers."

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation