Under the terms of a consent decree announced on Wednesday, AT&T agreed to pay $25 million to settle an FCC investigation into violations of the agency’s consumer proprietary network information (CPNI) rules. The violations allegedly occurred when the personal data of nearly 300,000 AT&T wireless subscribers was appropriated by third parties for the purpose of trafficking in stolen cell phones.
According to an FCC news release, the $25 million civil penalty constitutes the largest privacy and data security enforcement action in the agency’s history. The FCC launched the probe last May after AT&T voluntarily disclosed subscriber data breaches that occurred at company call centers in Mexico, Columbia and the Philippines. Each of the call centers were manned by AT&T contractors, and the FCC’s investigation revealed that call center employees accessed CPNI and other subscriber data to request unlock codes for AT&T cell phones that were supplied to unauthorized third parties. In turn, the third parties used the codes in attempts to unlock stolen cell phones or secondary market phones. The breaches took place between November 2013 and April 2014. AT&T has since confirmed the termination of its relationship with the call center in Mexico.
AT&T will submit the $25 million payment within 30 days and has also pledged, among other things, to (1) notify affected subscribers and pay for credit monitoring, (2) conduct a privacy risk assessment, (3) develop a compliance manual and appoint a senior compliance officer, and (4) submit regular compliance reports to the FCC. Outlining the corrective measures undertaken by his company in response to the data breach, an AT&T spokesman explained that “we’ve changed our policies and strengthened our operations” and “are terminating vendor sites as appropriate.” FCC Enforcement Bureau Chief Travis LeBlanc expressed hope “that all companies will look to this agreement as guidance,” as “customers trust that their phone company will zealously guard access to sensitive personal information.”