Click here for Adobe Acrobat version
Click here for Microsoft Word version


This document was converted from Microsoft Word.

Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.

All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.

Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.

If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.



   April 8, 2015  Neil Grace, 202-418-0506



                 FCC's Largest Data Security Enforcement Action

   Washington, D.C. - The Federal Communications Commission has entered a $25
   million settlement with AT&T Services, Inc. to resolve an investigation
   into consumer privacy violations at AT&T's call centers in Mexico,
   Colombia, and the Philippines. The data breaches involved the unauthorized
   disclosure of almost 280,000 U.S. customers' names, full or partial Social
   Security numbers, and unauthorized access to protected account-related
   data, known as customer proprietary network information (CPNI). This is
   the FCC's largest privacy and data security enforcement action to date.

   According to an investigation by the FCC's Enforcement Bureau, these data
   breaches occurred when employees at call centers used by AT&T in Mexico,
   Colombia, and the Philippines accessed customer records without
   authorization. These employees accessed CPNI while obtaining other
   personal information that was used to request handset unlock codes for
   AT&T mobile phones, and then provided that information to unauthorized
   third parties who appear to have been trafficking in stolen cell phones or
   secondary market phones that they wanted to unlock.

   "As the nation's expert agency on communications networks, the Commission
   cannot -- and will not --stand idly by when a carrier's lax data security
   practices expose the personal information of hundreds of thousands of the
   most vulnerable Americans to identity theft and fraud," said FCC Chairman
   Tom Wheeler.  "As today's action demonstrates, the Commission will
   exercise its full authority against companies that fail to safeguard the
   personal information of their customers."

   "Consumers trust that their phone company will zealously guard access to
   sensitive personal information in customer records," said Travis LeBlanc,
   Chief of the Enforcement Bureau. "Today's agreement shows the Commission's
   unwavering commitment to protect consumers' privacy by ensuring that phone
   companies properly secure customer data, promptly notify customers when
   their personal data has been breached, and put in place robust internal
   processes to prevent against future breaches. We hope that all companies
   will look to this agreement as guidance."

   In May 2014, the Enforcement Bureau launched its investigation into a
   168-day data breach that took place at an AT&T call center in Mexico
   between November 2013 and April 2014. During this period, three call
   center employees were paid by third parties to obtain customer information
   -- specifically, names and at least the last four digits of customers'
   Social Security numbers -- that could then be used to submit online
   requests for cellular handset unlock codes. The three call center
   employees accessed more than 68,000 accounts without customer
   authorization, which they then provided to third parties who used that
   information to submit 290,803 handset unlock requests through AT&T's
   online customer unlock request portal.

   The Enforcement Bureau also learned during the course of its investigation
   that AT&T had additional data breaches at other call centers in Colombia
   and the Philippines. AT&T informed the Bureau that approximately 40
   employees at the Colombian and Philippine facilities had also accessed
   customer names, telephone numbers, and at least the last four digits of
   customer Social Security numbers to obtain unlock codes for AT&T mobile
   phones. Approximately 211,000 customer accounts were accessed in
   connection with the data breaches in the Colombian and Philippine

   As a condition of settlement, AT&T will pay a $25 million civil penalty.
   The company will also notify all customers whose accounts were improperly
   accessed. AT&T will pay for credit monitoring services for all consumers
   affected by the breaches in Colombia and the Philippines.

   Additionally, AT&T will be required to improve its privacy and data
   security practices by appointing a senior compliance manager who is a
   certified privacy professional, conducting a privacy risk assessment,
   implementing an information security program, preparing an appropriate
   compliance manual, and regularly training employees on the company's
   privacy policies and the applicable privacy legal authorities. AT&T will
   file regular compliance reports with the FCC.

   The failure to reasonably secure customers' personal information violates
   a carrier's duty under Section 222 of the Communications Act, and also
   constitutes an unjust and unreasonable practice in violation of Section
   201 of the Act. The Commission has made clear that it expects
   telecommunications carriers to take "every reasonable precaution" to
   protect their customers' data. The Commission has also adopted rules that
   require carriers to take reasonable measures to discover, report, and
   protect against attempts to access CPNI without authorization.

   With this action, the Commission has taken five major enforcement actions
   valued at over $50 million in the last year to protect consumer privacy
   and data security. In May 2014, the Commission announced a $2.9 million
   planned fine against Dialing Services, LLC, for violating Commission rules
   that seek to protect consumers from harassing, intrusive, and unwanted
   robocalls to mobile devices. Also in May 2014, Sprint Corporation entered
   into a $7.5 million settlement to resolve an investigation into Sprint's
   failure to honor consumers' do-not call or do-not-text requests. In
   September 2014, the Commission reached a $7.4 million settlement with
   Verizon to address the company's unlawful marketing to two million
   customers without their consent or notification of their privacy rights.
   In October 2014, the Commission announced a $10 million planned fine
   against TerraCom, Inc., and YourTel America, Inc., for failing to provide
   reasonable protection for customers' personal information.

   For more information about the FCC's rules protecting the privacy of
   consumer's personal information, see:

   The AT&T Order and Consent Decree are available at:

   The Dialing Services NAL is available at:

   The Sprint Consent Decree is available at:

   The Verizon Consent Decree is available at:

   The Terracom/YourTel NAL is available at:



   Federal Communications Commission

   445 12th Street, S.W.

   Washington, D.C. 20554

   This is an unofficial announcement of Commission action. Release of the
   full text of a Commission order constitutes official action.

   See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).

                                        News Media Information 202 / 418-0500



   Visible links