The Sony security breach may have seemed as farcical as the movie that instigated the whole thing when it was being played out in the media, but the damages the incident caused were very real and very costly. The company lost a lot of money, and divulging the personal emails of senior officials at Sony resulted in its reputation taking a huge blow. While that data breach was very public, there are tens of thousands of incidents that don’t make the news, but they nevertheless cause just as much damage, if not more. A breach that took place in AT&T call centers in Mexico, Colombia and the Philippines didn’t make much news when it happened; but what brought it to light was the settlement the company made with the FCC.
The Columbus Dispatch reported the $25 million the company was ordered to pay is the largest privacy and data security enforcement action to date. And while the amount might seem paltry compared to the multi-billion dollar fines in the financial sector, companies are put on notice regarding the measures they must implement in protecting the private information of their customers.
If there is anything that gets the attention of businesses, it is hefty fines levied by regulators, because the amount keeps increasing until the problem is resolved. The FCC went after AT&T for its violation of Section 222 and Section 201 of the Communications Act, which requires operators to secure the personal information of their customers.
The FCC revealed the breach resulted in compromising the names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI) of 280,000 customers.
The agency’s Enforcement Bureau initiated the investigation in May 2014 after a 168-day data breach took place at an AT&T call center in Mexico between November 2013 and April 2014. The center was accessed by three employees who were paid to get the data, which netted 68,000 accounts. The information was then used to submit 290,803 handset unlock requests codes through AT&T’s online portal. The criminals used the information to unlock secondary market or stolen phones.
While conducting the investigation, the bureau learned call centers in Colombia and the Philippines also experienced breaches in which 40 employees were involved in accessing 211,000 customer accounts, bringing the total for the three countries to 280,000.
The conditions of the settlement requires AT&T to pay a $25 million civil penalty, notify all of the customers whose accounts were compromised, and pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines. Additionally, the company has to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional.
The role of this official will be to carryout privacy risk assessments and implement an information security program, formulate a compliance manual, and train employees on the company’s privacy policies.
“As the nation's expert agency on communications networks, the Commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
The FCC reports it has taken five major enforcement actions totaling more than $50 million in the past year in order to protect consumer privacy and data security. Some of the companies that were targeted by the agency include: Dialing Services, LLC; Sprint Corporation; Verizon; TerraCom, Inc.; and YourTel America, Inc. for a range of violations.