AT&T will pay $25M over scheme to steal customers’ data

AT&T will pay $25M over scheme to steal customers’ data
© Getty Images

AT&T is agreeing to pay $25 million to settle allegations that a weak security system allowed criminals to obtain hundreds of thousands of customers’ data.

According to the Federal Communications Commission (FCC), employees at AT&T call centers in Mexico, Colombia and the Philippines participated in a massive theft scheme that allowed for people’s stolen cellphones to be unlocked and reused.


Outside criminals such as El Pelon — the alias of one person involved in the scheme in Mexico — gave call center workers a list of phone numbers for stolen phones, the FCC said. Those workers then went into AT&T’s system to connect the numbers with people’s names and at least the last four digits of their Social Security number so that the outsiders could request that AT&T unlock the phones.

In total, the scheme affected information of about nearly 280,000 AT&T customers, the FCC said, all of whom had U.S. phone numbers.

“As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC Chairman Tom Wheeler said in a statement. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

A senior FCC official told reporters on Wednesday that the agency was not sure whether or not the call centers also had contracts with other cellphone service companies, such as Verizon or Sprint.

The settlement is only the FCC’s second ever for a privacy and data security issue, following on a $10 million fine to a pair of small phone companies last October. The agency’s growing involvement in the area represents the emergence of a new cop on the beat amid rising concerns about identity theft and data breaches.

In light of the case, AT&T said that it was ending its service with some of its vendor sites and beefing up its internal protections.

"While any misuse of customer information is serious, we have no reason to believe that the information was used for identity theft or financial fraud against our customers,” spokesman Michael Balmoris said in a statement. “Instead, our investigation suggests that the improperly accessed information was used to get codes that allow phones programmed for the AT&T network to be used on other networks."

In addition to the $25 million penalty, AT&T also agreed to get in touch with and provide credit monitoring services to the customers affected by the breach.

The action comes as FCC regulators review AT&T’s proposed merger with DirecTV, but the senior agency official said that the new case would not have any impact on that process.