Click here for Adobe Acrobat version
Click here for Microsoft Word version
Click here for ORDER & CONSENT DECREE
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
FOR IMMEDIATE RELEASE: NEWS MEDIA CONTACT:
April 8, 2015 Neil Grace, 202-418-0506
AT&T TO PAY $25 MILLION TO SETTLE CONSUMER PRIVACY INVESTIGATION
FCC's Largest Data Security Enforcement Action
Washington, D.C. - The Federal Communications Commission has entered a $25
million settlement with AT&T Services, Inc. to resolve an investigation
into consumer privacy violations at AT&T's call centers in Mexico,
Colombia, and the Philippines. The data breaches involved the unauthorized
disclosure of almost 280,000 U.S. customers' names, full or partial Social
Security numbers, and unauthorized access to protected account-related
data, known as customer proprietary network information (CPNI). This is
the FCC's largest privacy and data security enforcement action to date.
According to an investigation by the FCC's Enforcement Bureau, these data
breaches occurred when employees at call centers used by AT&T in Mexico,
Colombia, and the Philippines accessed customer records without
authorization. These employees accessed CPNI while obtaining other
personal information that was used to request handset unlock codes for
AT&T mobile phones, and then provided that information to unauthorized
third parties who appear to have been trafficking in stolen cell phones or
secondary market phones that they wanted to unlock.
"As the nation's expert agency on communications networks, the Commission
cannot -- and will not --stand idly by when a carrier's lax data security
practices expose the personal information of hundreds of thousands of the
most vulnerable Americans to identity theft and fraud," said FCC Chairman
Tom Wheeler. "As today's action demonstrates, the Commission will
exercise its full authority against companies that fail to safeguard the
personal information of their customers."
"Consumers trust that their phone company will zealously guard access to
sensitive personal information in customer records," said Travis LeBlanc,
Chief of the Enforcement Bureau. "Today's agreement shows the Commission's
unwavering commitment to protect consumers' privacy by ensuring that phone
companies properly secure customer data, promptly notify customers when
their personal data has been breached, and put in place robust internal
processes to prevent against future breaches. We hope that all companies
will look to this agreement as guidance."
In May 2014, the Enforcement Bureau launched its investigation into a
168-day data breach that took place at an AT&T call center in Mexico
between November 2013 and April 2014. During this period, three call
center employees were paid by third parties to obtain customer information
-- specifically, names and at least the last four digits of customers'
Social Security numbers -- that could then be used to submit online
requests for cellular handset unlock codes. The three call center
employees accessed more than 68,000 accounts without customer
authorization, which they then provided to third parties who used that
information to submit 290,803 handset unlock requests through AT&T's
online customer unlock request portal.
The Enforcement Bureau also learned during the course of its investigation
that AT&T had additional data breaches at other call centers in Colombia
and the Philippines. AT&T informed the Bureau that approximately 40
employees at the Colombian and Philippine facilities had also accessed
customer names, telephone numbers, and at least the last four digits of
customer Social Security numbers to obtain unlock codes for AT&T mobile
phones. Approximately 211,000 customer accounts were accessed in
connection with the data breaches in the Colombian and Philippine
As a condition of settlement, AT&T will pay a $25 million civil penalty.
The company will also notify all customers whose accounts were improperly
accessed. AT&T will pay for credit monitoring services for all consumers
affected by the breaches in Colombia and the Philippines.
Additionally, AT&T will be required to improve its privacy and data
security practices by appointing a senior compliance manager who is a
certified privacy professional, conducting a privacy risk assessment,
implementing an information security program, preparing an appropriate
compliance manual, and regularly training employees on the company's
privacy policies and the applicable privacy legal authorities. AT&T will
file regular compliance reports with the FCC.
The failure to reasonably secure customers' personal information violates
a carrier's duty under Section 222 of the Communications Act, and also
constitutes an unjust and unreasonable practice in violation of Section
201 of the Act. The Commission has made clear that it expects
telecommunications carriers to take "every reasonable precaution" to
protect their customers' data. The Commission has also adopted rules that
require carriers to take reasonable measures to discover, report, and
protect against attempts to access CPNI without authorization.
With this action, the Commission has taken five major enforcement actions
valued at over $50 million in the last year to protect consumer privacy
and data security. In May 2014, the Commission announced a $2.9 million
planned fine against Dialing Services, LLC, for violating Commission rules
that seek to protect consumers from harassing, intrusive, and unwanted
robocalls to mobile devices. Also in May 2014, Sprint Corporation entered
into a $7.5 million settlement to resolve an investigation into Sprint's
failure to honor consumers' do-not call or do-not-text requests. In
September 2014, the Commission reached a $7.4 million settlement with
Verizon to address the company's unlawful marketing to two million
customers without their consent or notification of their privacy rights.
In October 2014, the Commission announced a $10 million planned fine
against TerraCom, Inc., and YourTel America, Inc., for failing to provide
reasonable protection for customers' personal information.
For more information about the FCC's rules protecting the privacy of
consumer's personal information, see:
The AT&T Order and Consent Decree are available at:
The Dialing Services NAL is available at:
The Sprint Consent Decree is available at:
The Verizon Consent Decree is available at:
The Terracom/YourTel NAL is available at:
Federal Communications Commission
445 12th Street, S.W.
Washington, D.C. 20554
This is an unofficial announcement of Commission action. Release of the
full text of a Commission order constitutes official action.
See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).
News Media Information 202 / 418-0500