Technically, AT&T is not at fault for this customer records data breach, but the call centers that work for the service providers, Nonetheless, AT&T has been fined a record $25 million, which according to the FCC is the largest sum ever fined in a data breach and customer privacy case ever. According to the FCC, over the past year, AT&T call centers in Mexico, the Philippines and Colombia were the root of the problem, as more than 50 employees engaged in collecting and selling customer records to third parties, who were mostly actual criminals in the business of stolen smartphones and feature phones.
The AT&T employees gathered customer records and because the company didn’t put accurate monitoring services and a good data security program in place, they were able to sell information like social security numbers, addresses, names and what have you to people who were trying to unlock and resell stolen phones. The $25 million fine that AT&T received is a civil penalty and it involves the company taking responsibility for the theft of customer records. The FCC also requires the service provider to keep an eye on consumer records in a better manner and is obligating AT&T to hire specialized data security teams that would supervise call center activity.
According to the FCC, since the customer records started leaking from these call centers, more than 290 thousand unlock requests were performed on AT&T’s website, all of them connected to the customer records that were sold to the criminals mentioned above. More than 300 thousand AT&T customers were affected by the massive data breach, customer records being leaked to members of one or more crime circles that dealt with stolen phones. AT&T has reiterated that these customer records were not being used for identity theft or other malicious purposes, being strictly used for unlocking smartphones. AT&T will further provide assistance and credit tracking for the affected customers.