See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security
The Federal Communications Commission says employees in 2013 and 2014 retrieved customer proprietary network information and other personal data that could be used to unlock AT&T mobile phones. Then, the employees provided that information to unauthorized third parties who appear to have trafficked in stolen cell phones or secondary market phones that they wanted to unlock.
`Today`s action demonstrates the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers,` FCC Chairman Tom Wheeler says.
The $25 million civil penalty assessed by the commission and agreed to by AT&T represents the largest privacy and data security enforcement by the FCC. The settlement was announced April 8.
Vendors Failed to Meet High Standards
AT&T declined to be interviewed, but issued a statement that says protecting customer privacy is critical to the company. `We hold ourselves and our vendors to a high standard,` says Fletcher Cook, AT&T assistant vice president for global media relations. `Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We`ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.`
According to the FCC, its Enforcement Bureau last May launched an investigation into a 168-day, insider data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014 in which three call center employees were paid by third parties to obtain customer information, specifically names and at least the last four digits of customers` Social Security numbers, information that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T`s online customer unlock request portal.
Mexican Probe Uncovers Colombia, Philippines Breaches
During the investigation, the FCC Enforcement Bureau discovered that AT&T had additional data breaches at other call centers in Colombia and the Philippines. AT&T informed the bureau that about 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. About 211,000 customer accounts were accessed in connection with the data breaches in Colombia and the Philippines.
Robert Cattanach, a partner at the law firm Dorsey & Whitney, says the insider breach calls into question the integrity of call centers outside of the United States. `The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Columbia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack,` he says.
Besides paying the fine, the FCC is requiring AT&T to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual and regularly train employees on the company`s privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.
The FCC also is requiring AT&T to notify all customers whose accounts were improperly accessed and pay for credit monitoring services for consumers affected by the breaches in Colombia and the Philippines.
Read original article
No comments:
Post a Comment