Today, AT&T has agreed to pay a record breaking $25 million fine to settle a complaint filed by the Federal Communication Commission (FCC). In the complaint filed by the federal regulators, the commission stated that about 280,000 customers had such data stolen including Social Security numbers and call metadata. The data in question was stolen from subscribers by contracted call centers located in places like Mexico, Colombia, and the Philippines. The FCC investigators said that from November 2013 to April 2014, the call centers in question, took data from about 68,000 people. An FCC official was noted stating that in all likelihood, the data was taken from customers who spoke Spanish. As the call centers that were contracted had been utilized to help Spanish speaking customers. On behalf of the FCC, Chairman, Tom Wheeler stated “The commission cannot, and will not, stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.”
The data not only included social security numbers, but names as well. That data was then taken by scammers, that then called AT&T to request that approximately 300,000 cell phones be unlocked. While investigations were ongoing in Mexico, the FCC also discovered shockingly similar breaches in the island nation of the Philippines and then in Columbia. The additional breaches yielded another 210,000 customers who likely had their data stolen in a similar manner.
AT&T recently acknowledged the breach but only categorized them as limited in nature. This was filed by the phone conglomerate in papers with Vermont and California regulators. However, this only concerned the case in Mexico. The incidents in the Philippines and Colombia were not disclosed by AT&T, in any recent filings. In a statement about the data breaches, the company stated “While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers,”AT&T then went on to speculate that the data obtained was used to program phones with the unlock codes to enable them to be used on other networks in the area.
It’s probable that thousands of Americans will be only learning about this in the near future, as no American procedures of law are set in place to advise individuals who have had their data stolen. Currently, the only way to know is through third party companies such as LifeLock. Congress has debated this issue, however, nothing is currently in the pipeline for a vote. There are, however, 47 states that have data breach notification procedures on their own books. The states without a law are South Dakota, New Mexico and Alabama. AT&T has thirty days to pay the fine and will also have to notify all affected by the data breach.