The Federal Communications Commission on Wednesday took its most significant action yet to protect consumer data by fining AT&T $25 million for handing over the personal information of 280,000 U.S. customers to smartphone thieves.
According to the agency’s Enforcement Bureau, AT&T call centers in Mexico, Colombia and the Philippines disclosed without authorization the names, partial and full social security numbers and private account data to “third parties” allegedly trafficking stolen smartphones.
The traffickers paid call center employees to access AT&T customer proprietary network information (CPNI), and turn over information used to request handset unlock codes for stolen phones.
“As the nation’s expert agency on communications networks, the commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC Chairman Tom Wheeler said in a statement Wednesday.
The data breach took place over the course of 168 days between November 2013 and April 2014, during which three employees at a Mexico call center accessed some 68,000 accounts without customer authorization. Smartphone traffickers used that information to submit 290,803 unlock requests for stolen smartphones.
Another 40 employees at call centers in Colombia and the Philippines accessed similar data in connection with 211,000 accessed accounts.
As part of the $25 million settlement, AT&T agreed to notify customers who had their data exposed, improve its privacy and security standards, regularly report on the company’s progress to the FCC and pay for credit monitoring services for customers caught up in the breach in Colombia and the Philippines. (RELATED: Anti-Net Neutrality AT&T Used Rules As A Defense Against ANOTHER Federal Agency)