AT&T data breaches exposed about 280,000 U.S. customers’ names and full or partial Social Security numbers.
The breaches occurred at call centers used by AT&T in Mexico, Colombia, and the Philippines when employees accessed sensitive customer data without adequate authorization. Those corruptible employees took payment from third parties who were interested in customer names and Social Security numbers so they could unlock stolen cell phones for sale on secondary markets. The breach in Mexico lasted 168 days, from November 2013 to April 2014. The investigation revealed that three call center employees were paid by third parties to obtain customer information, specifically, names and at least the last four digits of customers’ Social Security numbers, that could then be used to submit online requests for cellular handset unlock codes where 290,803 handset unlock requests through AT&T’s online customer unlock request portal.
AT&T is terminating some of its vendor sites “as appropriate.”
AT&T will pay a $25 million civil payment, will be required to notify all customers whose accounts were improperly accessed, pay for credit monitoring services for all affected customers, hire a compliance manager who will conduct a privacy risk assessment, and implement an information security program, prepare an appropriate compliance manual, and regularly train employees on the company’s privacy policies.