AT&T to pay US$25 mil­lion penalty for data breaches at for­eign call cen­ters

The China Post - - WORLD BUSINESS -

AT&T will pay a US$25 mil­lion fine for “lax se­cu­rity” at over­seas call cen­ters where em­ploy­ees stole per­sonal data for mo­bile phone traf­fick­ers, U.S. reg­u­la­tors said Wed­nes­day.

The Fed­eral Com­mu­ni­ca­tions Com­mis­sion an­nounced the set­tle­ment in the case which af­fected some 280,000 AT&T cus­tomers.

FCC of­fi­cials said the lack of se­cu­rity at AT&T call cen­ters in Mex­ico, Colom­bia, and the Philip­pines al­lowed em­ploy­ees in those lo­ca­tions to steal per­sonal in­for­ma­tion which could be used to “un­lock” stolen phones.

The em­ploy­ees “pro­vided that in­for­ma­tion to unau­tho­rized third par­ties who ap­pear to have been traf­fick­ing in stolen cell phones or sec­ondary mar­ket phones that they wanted to un­lock,” an FCC state­ment said.

The breach al­lowed those in the scheme to get cus­tomer names, full or par­tial so­cial se­cu­rity num­bers and other data that could be used to sub­mit an “un­lock” re­quest to the big U.S. tele­com car­rier, al­low­ing them to re­sell stolen de­vices.

The breaches ex­posed U.S. vic­tims to po­ten­tial iden­tity theft, ac­cord­ing to the FCC, which said the set­tle­ment re­quires AT&T to of­fer credit mon­i­tor­ing and no­ti­fi­ca­tions to af­fected con­sumers.

FCC chair­man Tom Wheeler said the agency “can­not — and will not — stand idly by when a car­rier’s lax data se­cu­rity prac­tices ex­pose the per­sonal in­for­ma­tion of hun­dreds of thou­sands of the most vul­ner­a­ble Amer­i­cans to iden­tity theft and fraud.”

The FCC be­gan a probe af­ter learn­ing of a 168-day data breach that took place at an AT&T call cen­ter in Mex­ico be­tween Novem­ber 2013 and April 2014.

Dur­ing this pe­riod, three call cen­ter em­ploy­ees were paid by out­side par­ties to ob­tain cus­tomer in­for­ma­tion that could then be used to sub­mit on­line re­quests for cel­lu­lar hand­set un­lock codes, the FCC said.

In Mex­ico, some 68,000 cus­tomers had data com­pro­mised, ac­cord­ing to in­ves­ti­ga­tors.

The probe later was ex­tended to call cen­ters in Colom­bia and the Philip­pines. In those two coun­tries, 40 em­ploy­ees were able to ac­cess the con­fi­den­tial data and sold in­for­ma­tion on around 211,000 cus­tomers, the FCC said.

The FCC said the case rep­re­sented its “largest pri­vacy and data se­cu­rity en­force­ment ac­tion to date” and also re­quires AT&T to up­grade its se­cu­rity pro­ce­dures and ap­point a pri­vacy com­pli­ance of­fi­cer.

AT&T said in a state­ment re­gard­ing the case that it sees cus­tomer pri­vacy as “crit­i­cal.”

“We hold our­selves and our ven­dors to a high stan­dard. Un­for­tu­nately, a few of our ven­dors did not meet that stan­dard and we are ter­mi­nat­ing ven­dor sites as ap­pro­pri­ate,” the com­pany said

“We’ve changed our poli­cies and strength­ened our op­er­a­tions. And we have, or are, reach­ing out to af­fected cus­tomers to pro­vide ad­di­tional in­for­ma­tion.”

Newspapers in English

Newspapers from Taiwan

© PressReader. All rights reserved.