AT&T leaks 280,000 customer’s data, fined $25 million

Unfortunately it has become an all too common occurrence these days to find out that yet another mega-corp has somehow lost the names, Social Security numbers and various pieces of customer data either to hackers or just plain laziness. The latest data breach to surface happened to AT&T back in 2013 and lasted from November 2013 through April 2014.

The company has settled with the FCC to the tune of $25,000,000. As part of the settlement AT&T will notify every customer who may have been affected, pay for credit monitoring services, hire a compliance manager to conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual and regularly train employees on the company’s privacy policies.

Turns out that AT&T managed to let slip the names, partial social security numbers and other customer data when employees at their Mexican call centers took money from an undisclosed (or unknown) source to steal the information. They got away with enough data from roughly 68,000 accounts to submit over 290,000 handset unlock requests.

The FCC started investigating the occurrence in May 2014 and discovered that the same thing was happening in AT&T’s Columbian and Philippine call centers too. In those countries the thieves accessed roughly 211,000 customer accounts.

It’s not hard to figure out how this happened. AT&T wanted to save some money by outsourcing their call center operations to a handful of third-world countries where they could pay the workers a fraction of what they would have had to pay U.S. workers. Those workers, who were probably making far less than $10,000 a year and had received little to no training and worked in call centers that had little or no security measures in place, were easily swayed into stealing customer data for a little extra cash. The fact that the thefts took place over a six month period proves that if there was any security in place it was woefully inadequate.

An AT&T company spokesman said, “Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate.”

What else are they going to say? ‘We really don’t give a crap about our customer’s privacy. All we really care about are profits – that’s why we set up these cheap, overseas call centers in the first place. And we fully realize that some of these underpaid employees are going to steal the occasional stapler, maybe a few rolls of toilet paper and 280,000 customer records every once in a while. That’s almost inevitable. But when they are caught, we have no trouble shutting down that call center and putting all those people out of work.’

I’ve said it before. Any company or government agency that processes customer’s private data should be required by law to encrypt virtually all data no matter where on earth it may be stored, protect that data with utmost security when it is transferred, transmitted or shared with any other company, alert the government and their customers of any data breach in a timely manner, make restitution to those customers in a timely fashion and if there is a breach and it is discovered that they did not do everything in their power to prevent it then their top company officials should stand trial on criminal charges.

Twenty-five million dollars is chump change to a company like AT&T – it’s certainly not enough of a slap on the wrist to make them change the way they do business. But drag their CEO into court to face criminal neglect charges and the possibility of real jail time and I think we might begin to see other companies changing their attitudes toward their customer data security rather than face the same embarrassing fate.