FCC fines AT&T $25 million for theft of customer data
The United States Federal Communications Commission (FCC) is slapping rogue telecom behemoth AT&T with a $25 million fine for what it says is the company’s failure to protect the privacy, personal data and social security numbers of its paying customers. The complaint indicates that AT&T’s employees stole private information from an estimated 3 lakh customers via call centers located in Columbia (South America), Mexico and the Philippines.
According to a report in the New York Times, the thieves in the Mexican call center stole customer data between November 2013 and April 2014. This theft differs from most large-scale breaches in that it was not an aggregate data dump. The FCC complaint states that this particular collection of customer data was stolen and sold to an individual identified as “El Pelón,” which, when translated to English, means “the hairless.” This El Pelón character would contact someone at the call center with specific requests and information retrievals, then the employee(s) would hand over the private data.
It is speculated that the stolen data was used to reprogram mobile phones, thus making them suitable for resale on the international market. Stolen customer data was used to submit 290,803 handset unlock requests by way of AT&T’s website.
At this time nobody seems to know what happened to the rest of the stolen data. AT&T’s customer service representatives had access to every scrap of the victims’ identities, including addresses, contact numbers, email addresses, social security numbers, etc. which means it would be a cakewalk to commit identity theft with this information.
This type of crime brings to mind the notion of a cell phone “kill switch.” Theft of mobile devices is a huge problem in nearly every country, leading consumer protection organizations and lawmakers to insist that telecos install kill switches on their products. The idea is that the company would somehow be able to revive a phone that has been erroneously killed, but the kill switch has the potential to become part of the problem when even the largest, richest telecos like AT&T can’t be bothered to monitor their call centers, despite having almost unlimited wealth and resources at their disposal. (According to AT&T’s FY2014 statement to the SEC, CEO Randall Stephenson is paid $20,778,038 per annum- a $6,041,667 portion of that sum is cash.) If call center employees will steal customer information, they won’t hesitate to revive stolen phones and sell them on the black market.
Tom Wheeler, chairman of the FCC, issued a statement recently, “ The commission cannot, and will not, stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands.”
AT&T is being forced by the FCC to notify its victims and offer credit-monitoring services to them as well. It’s assumed that only those who have lost phones to theft in the past 18 months will be affected, but it’s possible that people who haven’t lost phones may still have been preyed upon.
This is the largest fine ever imposed on a company for a security breach of this nature.