FCC fines AT&T a record $25 million for customer data thefts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theverge.com/2015/4/8/8370515/att-fcc-settlement-data-thefts-25-million-fine

The Federal Communications Commission is handing AT&T a $25 million fine,
the largest-ever amount for a privacy-related issue, for a series of data
breaches that gave out personal information for nearly 280,000 customers
and contributed to international trafficking of stolen mobile phones. The
breaches occurred during 2013 and 2014 at AT&T call centers in Mexico,
Colombia, and the Philippines, all serving customers in the US. AT&T has
agreed to a settlement and to making several changes to its security
practices.

The commission found that a number of employees at each of the three AT&T
data centers had improperly accessed customer information and then sold
that information to third parties. The story sounds like a cellphone heist:
in Mexico, an entity known as El Pelon provided call center workers with a
list of phone numbers that it wanted them to look up. Workers would then
grab information associated with the account — including customer name and
the last four digits of the owner's social security number — and sell it
back to El Pelon.

In all locations, the stolen information was used to make unlock requests
for the associated phones through AT&T's website, potentially allowing the
phones to be resold. The commission believes that El Pelon is an alias, and
it is not aware of the third parties involved at the other two call
centers. Additional data was exposed to call center employees during the
breach, including call metadata such as who a person called and for how
long, but it does not appear that this information was forwarded to the
third parties. AT&T says that it is "terminating vendor sites as
appropriate."

"The commission cannot — and will not —stand idly by when a carrier’s lax
data security practices expose the personal information of hundreds of
thousands of the most vulnerable Americans to identity theft and fraud,"
FCC chairman Tom Wheeler says in a statement. "As today’s action
demonstrates, the commission will exercise its full authority against
companies that fail to safeguard the personal information of their
customers."

AT&T will have to pay the $25 million fine within 30 days. It will have to
notify all customers whose accounts were accessed and provide them with
credit monitoring services. AT&T has also agreed to improve its data
security practices, appoint a compliance manager with an expertise in
privacy, and regularly submit compliance reports to the FCC. "We’ve changed
our policies and strengthened our operations," AT&T says in a statement.
"And we have, or are, reaching out to affected customers to provide
additional information." The commission notes that its investigation into
the breaches is ongoing, and it's possible that more AT&T customers than it
currently knows of have been affected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!