AT&T has agreed to pay a $25 million penalty stemming from the theft of customer data in call centers in Mexico, Colombia and the Philippines.
The Federal Communications Commission carried out extensive investigations of the data breach in cooperation with the U.S. Secret Service. According to senior FCC officials speaking on background, the data breach was part of a massive phone theft ring.
The FCC officials held a press call on background before announcing the consent decree with AT&T. During that call, a senior FCC official said that the data breach was part of a larger scheme in which stolen AT&T cell phones were unlocked so they could be resold.
The scheme worked when a shadowy figure, identified by law enforcement officials as "El Pelon," would provide lists of phone numbers to three AT&T call center employees. The employees would then examine the company's records and provide the name and partial Social Security numbers for a price.
The FCC official said that El Pelon was suspected in trafficking in phones stolen from AT&T customers in the U.S. Once the call center employees provided the additional information, the thieves would use the information along with the cell phone number to get an unlocking code.
The name and SSN information were required to get an unlock code, but only one of the phones had to match an actual customer's information. Up to five phones of the same type could be unlocked using a single code and four of them did not need to be on the same account.
During the course of the investigation of the criminal activity in the Mexican call center, the FCC learned of similar problems in call centers in Colombia and the Philippines.
Those data breaches involved even more employees, a larger number of customers and more customer information. The breach in Mexico revealed information on more than 68,000 customers while the breaches in Colombia and the Philippines exposed information of more than 211,000 customers.
The FCC also said that initially AT&T did not reveal the data breaches to the government. Instead the FCC found out about the breaches from the Attorneys General of California and Vermont as well as from press reports, such as those in eWEEK.
The penalty, which is the largest of its type in FCC history, was levied on AT&T because the company did not protect customer information, which is required by the agency. Because of this, the customer information was available to anyone with access to customer accounts, including the contractors at the three call centers involved, where it was made available to unauthorized third parties.
AT&T has said that the company has terminated the contracts for the call centers, and that the employees involved were terminated. "Protecting customer privacy is critical to us," Emily Edmonds, director of corporate communications for AT&T said in a prepared statement provided to eWEEK.