The Federal Communications Commission (FCC) recently announced that AT&T has agreed to pay a $25 million fine for privacy violations related to a 2014 data breach that exposed almost 280,000 customers’ names, full or partial Social Security numbers, and account-related data, including customer proprietary network information (CPNI).
The fine is the FCC’s largest privacy and data security enforcement action to date.
In addition to paying the fine, AT&T will also notify all customers whose accounts were improperly accessed, and will provide them with free access to credit monitoring services.
The company will also be required to appoint a senior compliance manager, conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual, train employees on the company’s privacy policies, and file regular compliance reports with the FCC.
The breach took place when employees at third-party call centers in Mexico, Colombia and the Philippines contracted by AT&T accessed customer records without authorization. The stolen data was then sold to third parties, who used it to acquire handset unlock codes for stolen or secondary market mobile phones.
“As the nation’s expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC chairman Tom Wheeler said in a statement.
“Today’s agreement shows the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches,” said Travis LeBlanc, chief of the FCC’s Enforcement Bureau.
Robert Cattanach, partner at the law firm Dorsey & Whitney, told eSecurity Planet by email that the FCC’s settlement with AT&T is notable not only for being two and half times the previous largest penalty ever imposed, but also for calling into question the integrity of call centers outside the U.S.
“The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Columbia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack,” Cattanach said.
Still, Tripwire director of security research and development Chris Conacher said that while $25 million might sound like a lot, it’s not even a slap on the wrist for a company that spends over $1 billion a year on advertising alone.
“If you really want companies to think about security, you need to do something that makes the decision makers sit up and listen,” Conacher said.
“As long as the fines aren’t putting businesses into bankruptcy (or even serious financial peril, for that matter), executives and boards are free to decide they are better off investing the bare minimum in security and saving the rest for possible breach costs and fines,” Tripwire security researcher Craig Young added.