AT&T has agreed to pay a $25 million dollar fine for its laxed security involving overseas call centres where employees stole personal data information and sold them to mobile phone traffickers.
The FCC has announced the settlement after a long investigation into the breach of 280,000 AT&T customers.
The FCC blames AT&T for its laxed stance on security in centres throughout Mexico, Colombia and the Philippines where employees were stealing personal information used to unlock stolen high-end phones in a syndicate that reached around the globe.
The employees “provided that information to unauthorised third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock,” an FCC statement said.
The breach allowed those in the scheme to get customer names, full or partial social security numbers and other data that could be used to submit an “unlock” request to the big US telecom carrier, allowing them to resell stolen devices.
The breaches exposed US victims to potential identity theft, according to the FCC, which said the settlement requires AT&T to offer credit monitoring and notifications to affected consumers.
FCC chairman Tom Wheeler said the agency “cannot and will not stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.”
The FCC began a probe after learning of a 168-day data breach that took place at an AT&T call centre in Mexico between November 2013 and April 2014.
During this period, three employees were paid by outside parties to obtain customer information that could then be used to submit online requests for cellular handset unlock codes, the FCC said.
In Mexico, some 68,000 customers had data compromised, according to investigators.
The probe later was extended to call centres in Colombia and the Philippines. In those two countries, 40 employees were able to access the confidential data and sold information on around 211,000 customers, the FCC said.
The FCC said the case represented its “largest privacy and data security enforcement action to date” and also requires AT&T to upgrade its security procedures and appoint a privacy compliance officer.
AT&T said in a statement regarding the case that it sees customer privacy as “critical.”
“We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate,” the company said.
“We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”