FCC Fines AT&T $25 Million for Privacy Violations

On April 8, the FCC imposed on AT&T its largest ever fine for data privacy violations. For 168 days, from November 2013 to April 2014, employees of a call center in Mexico, using computer systems maintained and operated by AT&T, accessed customer accounts to steal and sell cell phone handset unlock codes along with personal information needed to use the unlock codes. They sold this information to an individual identified only as “El Pelón,” the “Bald Man.” Personal information of 51,422 separate customers was compromised in Mexico.

During its investigation, AT&T determined that similar violations had been occurring in other call centers in the Philippines and Columbia, involving the personal information of another 211,000 customers. It also discovered that suspicious employee activity at the Mexican call center dating back to December 2012, which had led to the termination of one employee and the voluntary departure of another, also likely involved customer personal information.

In its Consent Decree with the FCC, AT&T has agreed to pay a $25 million civil penalty, hire or appoint a compliance officer, create a compliance plan to be submitted to the FCC within 90 days, and file compliance reports with the FCC every six months for the next three years. AT&T is also required to implement, monitor, and make ongoing improvements to an information security program to protect customer personal information from unauthorized access, use, or disclosure, covering both its own employees and vendor employees.