AT&T to pay $25 million for consumer privacy breach
The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers' names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI). This is the FCC's largest privacy and data security enforcement action to date.
According to an investigation by the FCC's Enforcement Bureau, these data breaches occurred when employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization.
These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.
In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014.
During this period, three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers' Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes.
The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal. ■