AT&T To Pay $25M To Settle FCC Investigation Into Call Center ID Theft

FCC investigators have found that AT&T call center employees in Mexico, Colombia, and the Philippines illegally accessed and sold personal data — including names and (mostly partial) Social Security numbers — for around 280,000 customers. Thus, the telecom giant has agreed to settle with the Federal Communications Commission for $25 million, the Commission’s largest privacy and data security enforcement ever (at least until the next mammoth, inevitable cock-up).

The FCC says that call center workers were able to access sensitive personal data while obtaining other information from AT&T customers who had requested to have their phones unlocked.

The breach at the Mexico call center lasted from Nov. 2013 to April 2014. Three employees at the center accessed more than 68,000 accounts without customer authorization.

The employees didn’t just give this info to some marketing company or spammer, but sold it to third parties who then used the data to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.

During the FCC’s investigation into the Mexico breach, agents learned of similar issues at the call centers in Colombia and the Philippines. The theft was even more widespread at these two locations, with AT&T identifying 40 employees who had illegally accessed customer information for some 211,000 customer accounts.

According to the terms of the agreement [PDF], AT&T will pay a $25 million civil penalty to the FCC. The company must also notify all customers whose accounts were improperly accessed and pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines.

Additionally, AT&T must appoint a senior compliance manager who is a certified privacy professional, conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual, and regularly train employees on the company’s privacy policies and the applicable privacy legal authorities.

“As the nation’s expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler in a statement. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

In a statement to Consumerist, an AT&T spokesperson says:

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.