AT&T’s contracted overseas call centers are at the center of a huge customer data breach that has cost the carrier a record $25 million in damages after the FCC levied the fine against the carrier earlier today. The fine covers the scope of the breach, which began in early 2014 and exposed the personal data of some 280,000 AT&T customers in call centers located in Mexico, Colombia and The Philippines.
The FCC found that customers’ names, Social Security details, and private account information were accessed by call center workers who turned around and provided those details to unauthorized third parties trafficking in stolen cell phones, which then used the data acquired by the workers to acquire unlock codes to use the stolen devices overseas without falling under the jurisdiction of the US stolen phone blacklist, which now prevents such use.
The breach began from November 2013 and April 2014 until the FCCs investigation began in May of that year. During that period, three call center employees in a Mexican call center were paid by third parties to obtain customer information — those employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.
During the course of the investigation, more breaches were discovered by AT&T and subsequently relayed to the Commission, with 40 employees at the Colombian and Philippine call centers also accessing customer names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. Approximately 211,000 customer accounts were accessed in connection with the data breaches in the Colombian and Philippine call centers.
In addition to the fine, AT&T has also agreed to notify the affected customers, provide credit score monitoring services, and improve its privacy and data security practices by appointing a senior compliance manager for privacy and information security.
The fine is also coming at a time of increased scrutiny for carriers utilizing contracted overseas call centers, which have been the source of customer complaints over the years for providing poorer service compared to domestic call centers, as well as having weaker protections against unauthorized data access and security breaches, since the call centers are not directly overseen by carriers, but by third-parties that land lucrative service contracts through lower labor costs compared to operating domestic call centers.