Today, the Federal Communications Commission levied a record-setting $25 million fine on AT&T, after employees at call centers in three countries stole and then sold the personal data of almost 280,000 customers.
The stolen data included customers' names, full or partial Social Security numbers and other protected data collectively known as customer proprietary network information, or CPNI.
“As the nation's expert agency on communications networks, the Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
According to the FCC:
employees at call centers used by AT&T in Mexico, Colombia and the Philippines …. accessed CPNI while obtaining personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.
In addition to paying the fine within 30 days, AT&T will also have to notify and offer credit monitoring to all customers whose data was stolen, improve its security practices, hire a compliance manager with a privacy focus, and submit regular reports about all of this to the FCC.