AT&T set­tles breach probe

Firm OKs $25-mil­lion pay­ment over pri­vacy case in­volv­ing call cen­ters in 3 na­tions.

Los Angeles Times - - BUSINESS - By Jim Puz­zanghera jim.puz­zanghera@la­ Twit­ter: @JimPuz­zanghera

The com­pany agrees to pay $25 mil­lion over an in­ves­ti­ga­tion into data breaches in­volv­ing call cen­ters in three na­tions.

AT&T Inc. has agreed to pay $25 mil­lion to set­tle an in­ves­ti­ga­tion into data breaches at call cen­ters in Mex­ico, Colom­bia and the Philip­pines that led to the dis­clo­sure of per­sonal in­for­ma­tion of about 280,000 U.S. cus­tomers, fed­eral reg­u­la­tors said Wed­nes­day.

Em­ploy­ees at the call cen­ters were paid for the in­for­ma­tion by peo­ple, in­clud­ing a mys­te­ri­ous man in Mex­ico known only as El Pelon, who ap­pear to have been us­ing it to un­lock stolen cell­phones, the Fed­eral Com­mu­ni­ca­tions Com­mis­sion said.

The call cen­ters, which were op­er­ated by third par­ties, han­dled calls from U.S. cus­tomers, the FCC said. The data breaches be­gan in 2013 and con­tin­ued into last year.

The set­tle­ment is the largest ever by the agency in a pri­vacy case.

“As the na­tion’s ex­pert agency on com­mu­ni­ca­tions net­works, the com­mis­sion can­not — and will not — stand idly by when a car­rier’s lax data se­cu­rity prac­tices ex­pose the per­sonal in­for­ma­tion of hun­dreds of thou­sands of the most vul­ner­a­ble Amer­i­cans to iden­tity theft and fraud,” said FCC Chair­man Tom Wheeler.

Be­cause of state laws, AT&T cus­tomers in Cal­i­for­nia and Ver­mont pre­vi­ously had been no­ti­fied that their per­sonal in­for­ma­tion was im­prop­erly dis­closed in the breach.

How­ever, other cus­tomers were un­aware of the prob­lem. Un­der the set­tle­ment, AT&T must no­tify them and pay for credit mon­i­tor­ing ser­vices as well as im­prove the com­pany’s data se­cu­rity prac­tices, the FCC said.

AT&T said it was reach­ing out to af­fected cus­tomers.

“Pro­tect­ing cus­tomer pri­vacy is crit­i­cal to us. We hold our­selves and our ven­dors to a high stan­dard,” the com­pany said in a state­ment. “Un­for­tu­nately, a few of our ven­dors did not meet that stan­dard and we are ter­mi­nat­ing ven­dor sites as ap­pro­pri­ate.”

Nei­ther the FCC nor AT&T would name the call cen­ters.

Last May, the FCC be­gan in­ves­ti­gat­ing the data breach at the Mex­ico call cen­ter, which han­dles calls from Span­ish-speak­ing U.S. cus­tomers.

From Novem­ber 2013 un­til April 2014, three call cen­ter em­ploy­ees were paid to pro­vide the names and at least the last four dig­its of So­cial Se­cu­rity num­bers for more than 68,000 U.S. cus­tomers, the FCC said.

The in­for­ma­tion could be used to sub­mit on­line re­quests to AT&T to un­lock cell­phones. Each cus­tomer is al­lowed to re­quest un­lock codes for five phones, and the FCC said the im­prop­erly ob­tained in­for­ma­tion was used for 290,083 such re­quests.

At least two of the em­ploy­ees said they sold the in­for­ma­tion to El Pelon. The FCC said its of­fi­cials do not know the man’s iden­tity.

Dur­ing the in­ves­ti­ga­tion, the FCC learned that there were sim­i­lar data breaches at call cen­ters in Colom­bia and the Philip­pines in­volv­ing the per­sonal in­for­ma­tion of about 211,000 U.S. cus­tomers, the agency said.

In De­cem­ber, AT&T changed its phone un­lock­ing pol­icy to no longer re­quire in­for­ma­tion from cus­tomer records, the FCC said.

Paul Sancya

BREACHES at call cen­ters in Mex­ico, Colom­bia and the Philip­pines led to the dis­clo­sure of per­sonal in­for­ma­tion of about 280,000 U.S. cus­tomers of AT&T.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.