AT&T has agreed to a $25 million fine from the Federal Communications Commission–the largest ever privacy and data security enforcement by the agency ever–to end an investigation into data breaches that exposed personal information of nearly 280,000 US customers.
The breach happened in 2013 and 2014 at AT&T call centers in Mexico, Colombia, and the Philippines, said the FCC. Employees at these call centers accessed customer records containing names, full or partial Social Security numbers and protected account-related data, according to findings by the FCC’s Enforcement Bureau.
“As the nation’s expert agency on communications networks, the Commission cannot–and will not–stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler, in a statement. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
The employees obtained information to unlock cellphones and handed over the information to third-parties, which paid the employees for the information after providing lists of names.
The FCC said AT&T will notify every customer of the data breach and pay for credit monitoring services for affected customers in Colombia and the Philippines. The telecommunications company will also need to improve its privacy and data security practices, train employees on the company’s privacy policies, appoint a senior compliance manager and conduct in-house assessments of implemented an information-security program.
“Today’s agreement shows the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches,” said Travis LeBlanc, chief of the Enforcement Bureau, in the statement. “We hope that all companies will look to this agreement as guidance.”