Governance & Risk Management , Incident & Breach Response , Insider Threat
Insider Breach Costs AT&T $25 MillionFCC: Pilfered PII Could Be Used to Unlock Mobile Phones
AT&T is paying a hefty price - $25 million - for call center employees in Mexico, Colombia and the Philippines accessing personally identifiable information from some 278,000 customer accounts without authorization.
The Federal Communications Commission says employees in 2013 and 2014 retrieved customer proprietary network information and other personal data that could be used to unlock AT&T mobile phones. Then, the employees provided that information to unauthorized third parties who appear to have trafficked in stolen cell phones or secondary market phones that they wanted to unlock.
"Today's action demonstrates the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers," FCC Chairman Tom Wheeler says.
The $25 million civil penalty assessed by the commission and agreed to by AT&T represents the largest privacy and data security enforcement by the FCC. The settlement was announced April 8.
Vendors Failed to Meet High Standards
AT&T declined to be interviewed, but issued a statement that says protecting customer privacy is critical to the company. "We hold ourselves and our vendors to a high standard," says Fletcher Cook, AT&T assistant vice president for global media relations. "Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information."
According to the FCC, its Enforcement Bureau last May launched an investigation into a 168-day, insider data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014 in which three call center employees were paid by third parties to obtain customer information, specifically names and at least the last four digits of customers' Social Security numbers, information that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T's online customer unlock request portal.
Mexican Probe Uncovers Colombia, Philippines BreachesDuring the investigation, the FCC Enforcement Bureau discovered that AT&T had additional data breaches at other call centers in Colombia and the Philippines. AT&T informed the bureau that about 40 employees at the Colombian and Philippine facilities had also accessed customer names, telephone numbers and at least the last four digits of customer Social Security numbers to obtain unlock codes for AT&T mobile phones. About 211,000 customer accounts were accessed in connection with the data breaches in Colombia and the Philippines.
Robert Cattanach, a partner at the law firm Dorsey & Whitney, says the insider breach calls into question the integrity of call centers outside of the United States. "The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Columbia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack," he says.
Besides paying the fine, the FCC is requiring AT&T to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conduct a privacy risk assessment, implement an information security program, prepare an appropriate compliance manual and regularly train employees on the company's privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.
The FCC also is requiring AT&T to notify all customers whose accounts were improperly accessed and pay for credit monitoring services for consumers affected by the breaches in Colombia and the Philippines.
Slap on the Wrist?
Several cybersecurity experts question whether the $25 million would serve as a deterrent for businesses to properly secure their IT. "Twenty-five million dollars may sound a lot but it is not even a slap on the wrist for a company whose yearly advertising budget is over $1 billion," says Chris Conacher, director of security research and development at Tripwire, a provider of IT security compliance products. "If you really want companies to think about security, you need to do something that makes the decision-makers sit up and listen. If all you are doing is making tiny deductions against the bottom line, businesses are going to keep on doing what they do and consumers will keep on suffering."
But Philip Lieberman, president of IT security provider Lieberman Software, says the penalty will cost AT&T much more than the steps it should have taken to prevent the insider breach. "The cost to implement a control would be one-tenth - or vastly less - of the cost of the fine and other losses," Lieberman says. "It would, however, require a change in process which is generally harder than the purchase of any technology. The C-level staff will have to explain this to the board as to why they did not implement a control when the cost would be trivial. This one goes toward the leadership of the IT team in place."
FCC-FTC Turf Battle Brewing
Cattanach characterizes the settlement as another benchmark for data breach enforcement, demonstrating the continuing encroachment by the FCC into areas once seen as the exclusive domain of the Federal Trade Commission.
"This is a classic data breach enforcement action that typically would have been prosecuted by the FTC until most recently," Cattanach says. "Given the increasingly frosty relationship between the FTC and FCC on enforcement of incidents triggering dual jurisdiction, it's difficult to imagine that there was any significant coordination between the two agencies."
The announcement of the FCC-AT&T settlement comes three weeks after a House hearing on nationalizing data breach notification, in which witnesses took opposing stands on whether the FCC or FTC should pursue civil ligitation against telecommunications firms involved in a breach (see Barriers to a Breach Notification Law).
A discussion draft of a national breach notification bill being considered by the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade would authorize the FTC and states attorneys general to enforce it, removing the FCC jurisdiction over communications companies it now regulates in regards to data breaches.
"The draft bill would alter this legal framework and leave gaps as compared to existing consumer protections," said Cleve Johnson, FCC chief counsel for cybersecurity, who at the hearing added that "the FCC actively enforces the data privacy and security provisions of the Communications Act and related rules."
Who's the Best Enforcer?
But another witness testifying, former FTC Chairman Jon Leibowitz, told lawmakers that enforcing the law should be left to the FTC and state AGs, noting that the regulatory strength of the FCC is in allotting and regulating airwave and wireless spectrum and not in enforcing security and privacy laws.
The FTC has been enforcing privacy protections since enactment of the Fair Credit Reporting Act in the early 1970s. "The FTC should be the sole enforcer of data security because I think it does a really good job and has expertise and it's been concentrated on that for decades," Leibowitz said.
But in announcing the settlement with AT&T, the FCC Enforcement Bureau Chief Travis LeBlanc said the commission is positioned to enforce laws and regulations. "Today's agreement shows the commission's unwavering commitment to protect consumers' privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached and put in place robust internal processes to prevent against future breaches," he said.