Telco-Data Breach

15 April 2015

On April the 8th 2015, it was confirmed by the USA Federal Communications Commission (FCC) that they reached a USD 25 million settlement with AT&T Inc. (AT&T) over an incident concerning a consumer data breach at their call centres. This follows the two fines issued by the FCC to two other USA Communications, Technology and Media (CTM) corporations in October 2014 for similar consumer data privacy regulation violations. 

AT&T is one of the world’s largest telecommunications companies; based in Dallas, Texas, with operations providing multiple services, annual revenues exceeding USD 132 billion, and over 120 million customers. It is the largest provider of fixed telecommunications, and second largest mobile operator in the USA.

The FCC began investigating AT&T data breaches in May 2014, initially focussing on their outsourced Mexico call centre operations. It came to light that several call centre employees had abused their login credentials to access and steal personal information, in order to request unlock codes for stolen handsets, working with criminals (who are inferred to be third party handset traffickers or secondary market phone unlockers).

As a result of the above investigation it also came to light that additional breaches had occurred in two other outsourced operations in Colombia and the Philippines. Under these three breaches, it was determined that the personal details of  approximately 280,000 customers were accessed across the three facilities involving around 43 employees of the call centre company; this data included names, social security numbers and customer account details. The incidents occurred throughout 2013 and 2014. AT&T activated internal and external processes which involved contacting all the affected data subjects. It terminated its contracts with the third party companies responsible for operating the affected call centres and worked on strengthening its policies and procedures to avoid a similar event in the future.