The Federal Communications Commission (FCC or Commission) has entered into a $25 million settlement with AT&T Services, Inc. to resolve an investigation into consumer privacy violations at AT&T call centers in Mexico, Colombia, and the Philippines. The data breaches involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI). These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock. The Commission’s Enforcement Bureau launched its investigation in May 2014, and this is the FCC’s largest privacy and data security enforcement action to date. In addition to the $25 million civil penalty, the company will also notify all customers whose accounts were improperly accessed. AT&T will pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines.
