AT&T is about to pay heavily for a data breach which saw a wealth of personal data stolen and sold from some of its call centers last year. The FCC has fined the network $25 million for the breach, and said it would “not stand idly by when a carrier’s lax data security practices expose personal information.” The breaches in question happened at AT&T’s call centres located in Mexico, Colombia, and the Philippines, and involved personal data related to nearly 280,000 people. The information accessed included Social Security numbers, names, and other account data.
According to the FCC’s report, the primary breach was a lengthy operation spanning 168 days at AT&T’s Mexico call center, where three employees illegally accessed nearly 70,000 accounts. What did they want with all this information? Apparently, two of the employees confessed they were selling the data to a shadowy group or person known only as El Pelon, which is apparently slang for “the bald guy”, or slightly more sinisterly, “The Bald One.”
The Bald One, or members of his follicly challenged gang, went on to use around 50,000 of these records to file 290,000 unlock requests via AT&T’s online system. Presumably, this was to unlock stolen phones ready for use on other networks.
Although the FCC’s investigation specifically details the Mexico breach between November 2013 and April 2014, AT&T had been aware of the situation before and after those dates. In December 2012 an employee at the center was fired for accessing accounts without authorization, and another resigned for a similar reason in January 2013. Neither incident was classed as a breach by AT&T. In March this year, AT&T told the FBI it was investigating similar data breaches in Columbia and the Philippines.
The $25 million fine is the largest the FCC has handed out to date over security enforcement, and it has also ordered AT&T to appoint a senior data security compliance manager, develop a new compliance plan, and train its employees on privacy policies. The network will also provide a free number for customers to call if they’re concerned about their own data. AT&T stopped using the call center in Mexico during September 2014, and has 30 days to pay the FCC.