AT&T agreed to pay $25 million to settle the investigation of the Federal Communications Commission (FCC) regrading its consumer privacy violations at its call centers outside the United States.
AT&T data breaches
According to the FCC, the personal data of approximately 280,000 U.S. customers were disclosed improperly by AT&T’s call centers in Colombia, Mexico, and the Philippines.
The Commission’s Enforcement Bureau said the data breaches occurred when call center employees accessed the customer proprietary network information (CPNI) without authorization. They passed customers’ personal information to third parties who used it unlock AT&T mobile phones.
In a statement, FCC Chairman Tom Wheeler said, “The commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.”
On the other hand, Travis LeBlanc, Chief of Enforcement Bureau at FCC said, “Today’s agreement shows the Commission’s unwavering commitment to protecting consumer’s privacy.” He added that FCC ensures that phone companies properly secure customer data, promptly notify customers when their personal data was accessed without authorization, and implement robust internal processes to prevent future breaches.
AT&T to terminate vendor sites as appropriate
In an e-mailed statement to Bloomberg, AT&T spokesman Michael Balmoris said the company is “terminating vendor sites as appropriate.” He added that the company has no reason to believe that the customers’ personal information were used for identity theft or financial fraud.
Aside from the $25 million civil penalty, AT&T also agreed to inform customers whose accounts were breached, and to pay credit monitoring services for them.
In addition, the company agreed to hire a compliance manager to perform a privacy risk assessment, implement an information security program, prepare proper compliance manual, and conduct regular training of employees regarding its privacy policies.