AT&T Fined $25M for Offshore Customer Data Leak

John Lister's picture

AT&T will pay a $25 million fine after regulators held it responsible for thieves taking personal details of 280,000 customers. The breaches were said to have occurred around November 2013 and April 2014, with the FCC beginning its investigation around May of 2014. It's the biggest ever such fine in the communications industry.

The stolen information included the customers' names, part or all of their social security numbers, and some details about their account. On its own, the data wouldn't be enough for criminals to immediately steal money from customer's bank accounts, but could make identity theft significantly easier.

The thefts took place at call centers based in Mexico, Colombia and the Philippines. AT&T says it will stop doing business with those call centers, but hasn't yet confirmed the precise timetable for when it will do so. (Source:

Call Center Staff Bribed To Leak Data

This wasn't a case of hacking or physically stealing stored data. Instead, call center staff were paid to look up and pass on customer details. There's no word yet on how much the staff were paid or how this compared with the wages they received from their employers.

It seems the goal of the data theft was to make it easier to unlock phones, meaning they could run on any cellular network, even though they were supposed to be 'locked' to AT&T as a condition of the network subsidizing the original handset purchase. Having the customer name and the last four digits of the social security number would be enough to make an online request to unlock the phone.

The most likely explanation is that the people who paid for the stolen data wanted to make it easier to resell stolen phones. It's not yet clear if they had already stolen the phones and wanted the details, or if they planned to build up a massive database of stolen details ready to check when they got hold of a phone.

Customers Get Credit Monitoring As Compensation

As part of its investigation, the FCC discovered that the call center staff who'd taken the bribes would also have had access to customer call records, including the times and duration of calls and the number dialed. However, it doesn't appear the staff passed on any of those details.

The FCC concluded that even though the breach took place at a third-party call center, AT&T didn't do enough to make sure such a data theft didn't happen. "As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," noted FCC Chairman Tom Wheeler.

AT&T now has 30 days to pay the fine. It will also have to contact all the affected customers, inform them of the breach, and offer to pay for credit monitoring services. (Source:

What's Your Opinion?

Is $25 million a fair and sufficient penalty given the circumstances? Could firms do more to make sure third party call centers, including those based overseas, reduce the risk of staff stealing data? Or should tech firms keep all call centers and data handling in-house?

Rate this article: 
Average: 4.6 (5 votes)