AT&T has been ordered to pay $25 million to settle the FCC investigation into the consumer privacy violations that exposed information for more than 250,000 customers in the US.
The FCC did not mince words, and said that it would “not stand idly by when a carrier’s lax data security practices expose personal information.”
The breaches in question happened at AT&T’s call centers located in Mexico (the primary breach location, affecting 70,000 accounts), Colombia and the Philippines, and involved personal data such as Social Security numbers, names and account data. Employees illegally accessed the information and were selling it to cyber-thieves.
In Mexico, three employees, for instance, were selling information to someone calling himself “El Pelon,” or, “the Bald One.”
"The AT&T breach was caused by penny pinching by AT&T,” said Richard Blech, CEO and co-founder of Secure Channels. “By outsourcing their call center to foreign countries to save money, AT&T has exposed Americans' sensitive data to peril. If AT&T had simply budgeted for security as a priority and encrypted their customers' sensitive data, AT&T’s frugality at hiring outside of the country would have still left Americans' sensitive data and privacy protected.”
If AT&T is going to offshore customer support, the least it could do is put appropriate security measures in place using a portion of the funds that it saved via outsourcing.
“If they had used strong encryption, the breach would have left the hackers with useless bits and bytes,” said Blech. Due to AT&T's careless disregard for its customers and its employees, Americans' personal data is now afloat in Mexico, Columbia and the Philippines.”
Chris Conacher, Tripwire director of security research and development, added that the fine may sound like a lot, but considering that the telco’s advertising budget alone is well over $1 billion, it’s really just a slap on the wrist—or, could be seen as the cost of doing business.
“If you really want companies to think about security you need to do something that makes the decision-makers sit up and listen,” he said. “If all you are doing is making tiny deductions against the bottom line, businesses are going to keep on doing what they do and consumers will keep on suffering.”
AT&T is no stranger to breaches—last year it also had a mobile subscriber data incident, and another—much smaller—malicious insider breach.