AT&T Call Centers Sold Mobile Customer Information To Criminals

itwbennett writes Employees at three call centers in Mexico, Colombia and the Philippines sold hundreds of thousands of AT&T customer records, including names and Social Security numbers, to criminals who attempted to use the customer information to unlock stolen mobile phones, the U.S. Federal Communications Commission said. AT&T has agreed to pay a $25 million civil penalty, which is the largest related to a data breach and customer privacy in the FCC's history.

Hand slap, LOL.

[Anonymous Coward]

So that's what? 1/500th of a month's revenue for AT&T? Geez, they must be stinging for that hand slap!

Re:Hand slap, LOL.

[Dutch Gun]

When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire? That's ultimately the fatal flaw with giving a company your personal data, even if their carefully crafted, lawyer approved privacy statement has the best of intentions.

Re:

[ShaunC]

When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire?

Especially when they offshore so much of their workforce in order to pay shit wages. Some guy sitting in a boiler room in Colombia has very little connection to his parent company and is outside the jurisdiction of the US. I'd say that gives him more incentive to steal and sell corporate data, or at least less incentive not to, than a happy US-based employee.

Re:

[radarskiy]

"When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire?"

Who else can they be speaking for? A company is not a person in the sense that it cannot do anything. Only its employees and contractors can do anything.

Re:

[Anne Thwacks]

The directors are very highly paid because of this responsibility. Allegedly.

Re:

[davester666]

OMG. I can't imagine ANY corporation with more than a couple of 'stores', particularly across more than one state, having a privacy statement vetted by lawyers that 'has the best of intentions' for their customers. They all are worded to be "we'll try to make sure we know everyone accessing your private data, but if we don't, there's no penalty".

Re:

[Dutch Gun]

I was hoping people would catch the slightly sarcastic tone there. Too subtle?

Re:

[gl4ss]

umm..

well, they can speak for their subcons. after all, that's what they did when they implied that your data wouldn't be sold to criminals outside the company.

and that's why they got fined 25 mil, because they did something wrong. should have been a higher sum, but still, they fucked up by doing less of a background check to their employees than they do to their customers!

it's not like anyone forced the company to outsource shit to pacific asia.

Re:

[l0n3s0m3phr34k]

When I went to work for AT&T as a CSR, I had to pass a seven year background check that also included driving records. I don't know what cellular provider you go through that has that has a higher level of checks than that, but AT&T just does a credit check on customers as opposed to an actual background check.

Yet these people were not actual AT&T employees but contractors, so no telling what type of checks are used. This isn't the first time AT&T has had this problem...in 2010 the FBI a

Re:

[jklovanc]

This is the first time AT&T has been found guilty of this charge. Sure it is a slap on the wrist but if they do it again I bet the slap will be much harder.

Re:Hand slap, LOL.

[BronsCon]

So they won't do this again, they'll do something else, and it'll be the first time they did that. Will just a slap on the wrist be okay, then, too? This isn't the first time AT&T has fucked their customers, that's SPO for them, but let's look at it in as fine-grained of a manner as possible and say "it's okay, just don't do this exact thing again".

Or, maybe they will do it again but, next time, they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones. Is that different enough to warrant yet another slap on the wrist?

Wake the fuck up and realize that AT&T, Comcast, and the like will simply adjust their behavior just enough that people like you well say "oh, well that's something different" so they never suffer anything amounting to more than a warning shot across their bow, as they've been doing for decades, until people like you stop accepting it.

Re:

[BronsCon]

Typo... SPO should be SOP. People, this is why we proofread.

RTFA

[jklovanc]

they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones.

AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

What is your solution?

By the way, the use of profanity does not strengthen your argument.

Re:RTFA

[BronsCon]

AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

Yes, they allowed the data to be stolen. They didn't put in place anything even resembling reasonable access restrictions, no safeguards to keep the low-level employees who don't need customers' social security numbers and banking information (yes, they have access to that, too; it's amazing that wasn't also stolen, or maybe it was) from accessing that information. In fact, not only did they not prevent said access, they fed them the data, they put it right there in the portal they provide their support reps, where it's on display for the duration of the support call. It's not a matter of incompetent security measures, it's a matter of gross negligence in how they handle customer data and they should bear much more liability for that negligence than one might be expected to bear for incompetence.

What is your solution?

Maybe a fine that equates to a liability of more than $100 per person whose data they allowed to be stolen and sold? After all, this trial was about liability, right? And damages? Maybe convincing them to fix the problem? I don't think 0.02% of their annual revenue will do that.

By the way, the use of profanity does not strengthen your argument.

Well, I guess it's a good thing my intent was to express frustration, then.

Re:

[jklovanc]

banking information (yes, they have access to that, too; it's amazing that wasn't also stolen, or maybe it was)

Where is this information coming from. It is not in the article.

Maybe convincing them to fix the problem? I don't think 0.02% of their annual revenue will do that.

You know that how? Maybe the threat of much higher fines if it happens again may have the desired effect.

It is funny how people get a break on a first offense but companies don't.

Re:

[BronsCon]

Where is this information coming from. It is not in the article.

Knowing, personally, an AT&T support rep who has, on numerous occasions, told me how appalled she is that this information is accessible to anyone from tier 1 on up.

It is funny how people get a break on a first offense but companies don't.

It's funny how this was a civil trial, where people don't get a break for their first offense, but you think it's cool that companies do.

Re:

[jklovanc]

It's funny how this was a civil trial

There was no trial. It was a consent decree [fcc.gov] and not a court case. You might want to look up what civil penalty [wikipedia.org] actually means.

A civil penalty or civil fine is a financial penalty imposed by a government agency as restitution for wrongdoing.

Civil penalty has nothing to do with what type of court, civil or criminal.

Re:

[BronsCon]

To be quite honest, I didn't read the article so I was making some assumptions. Because of that, the term "civil penalty" never came into play, though I do know what it means, thank you. That being said, show me an instance where a civilian got off with a slap on the wrist violating FCC regulations regarding securing CPNI and I'll agree with you. Trial or no trial, this is a civil matter with actual victims involved; people don't get breaks in these instances like they do on traffic tickets. Or murder, for

Re:

[jklovanc]

show me an instance where a civilian got off with a slap on the wrist violating FCC regulations regarding securing CPNI

Show me where a civilian can violate those regulations. Those regulations govern companies not individuals.

By the way, this has nothing to do with CPNI [wikipedia.org].

Customer proprietary network information (CPNI) is the data collected by telecommunications companies about a consumer's telephone calls.

It has to do with private account information like SSNs. This appears to be another use of a technical term used that you have no idea what it means and for some reason won't even look up.

Trial or no trial, this is a civil matter

Wrong again. This is a regulatory matter as the the company failed to follow the Communications Act.

The failure to reasonably secure customers’ proprietary information violates a carrier’s statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act.

Re:

[BronsCon]

By the way, this has nothing to do with CPNI

Paragraph 1 of the consent decree begs to differ.

The Enforcement Bureau (Bureau) of the Federal Communications Commission (Commission) has entered into a Consent Decree to resolve its investigation into whether AT&T Services, Inc. (AT&T or Company) failed to properly protect the confidentiality of almost 280,000 customers’ proprietary information, including sensitive personal information such as customers’ names and at least the last four digits of their Social Security numbers, as well as account-related data known as customer proprietary network information (CPNI), in connection with data breaches at AT&T call centers in Mexico, Columbia, and the Philippines.

You seem to be arguing for argument's sake and are conflicting you own arguments in the process. Buh-bye.

Re:

[BronsCon]

I posted prematurely. Regulatory matters are, in fact, a type of civil matter. Go ahead and nit-pick about the specifics as if they actually matter. And keep assuming I don't know what industry (not technical) terms like CPNI mean when they're defined right in the document you referenced, which also states that CPNI was, in fact, a part of this issue.

On that note, good day, sir.

Re:

[jklovanc]

How about you usethe link [wikipedia.org] I referenced;

It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.

Sensitive information like SSN does not appear on a customer's bill.

Re:

[BronsCon]

How about you read the consent decree you referenced? Hell, to save you the trouble of opening the PDF, I even quoted the paragraph in question. Again it's the very first paragraph of the document you referenced, for which you provided the link. Notice how I'm no longer arguing? There's a reason for that. Good day to you.

Re:

[mjwx]

they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones.

AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

What is your solution?

Disallow the companies from keeping this information.

This is how it works in Australia. My ISP is not permitted to keep or even ask for certain bits of information. Your SSN is roughly equivalent to my TFN (Tax File Number) and they cant ask for that, they aren't even allowed to keep my drivers license number on file. They only really have my card number and there is a metric shitload (oops, profanity, we'll you'll just have to get over it) of laws regarding how that information can be kept and where (as

Re:

[jklovanc]

So how to companies in Australia verify that a customer is not impersonating someone else?

Re:

[Anne Thwacks]

I dont know, but they only need to keep on the computer the fact that they have verified it, not the actual verification process. Here in the UK, banks are in the habit of verifying your id by asking your mother's maiden name and your place of birth, which for most people are readily available from Facebook (probably how they verify the data).

Re:

[jklovanc]

I dont know, but they only need to keep on the computer the fact that they have verified it, not the actual verification process.

If a dispute comes up as to who opened the account the company needs to show the data they used to verify against. If they don't have the data they can not prove they verified the identity correctly.

(probably how they verify the data)

The banks ask those questions when the account is opened. In my bank they ask for a security password that I supplied.

Re:

[kenh]

So they won't do this again

You understand it was contract employees that stole the data, not AT&T Corporate...

Re:

[BronsCon]

You understand it was AT&T's corporate policy of displaying social security numbers and billing data in plaintext to tier 1 contracted support who don't need access to that data that lead to it being stolen, right?

Re: Hand slap, LOL.

[cyber-vandal]

Who was it who decided to outsource to poor people who could sell that information for more than they earn in a month.

Re:

[Triklyn]

... the per capita income in phillipines in 2013 was 3000... yeah... more than they could earn in a month.

Re:

[PolygamousRanchKid]

When I first read the headline, I thought that the "criminals" were the NSA. I was wondering what all the fuss was about. It just sounded like business as usual to me . . .

Double the Outrage

[leftover]

1. Only $25M for that egregious violation??

2. And that is the *LARGEST* penalty ever????

Token penalties like that are equivalent to declaring a free-for-all-big-corps.

Re:

[aardvarkjoe]

1. Only $25M for that egregious violation??

AT&T didn't sell the info (the title of the article is false.) It was some people that were employed by their call centers that were engaged in the crime. You don't punish a company for hiring somebody who turns out to be a criminal. All they can be punished for is if the policies that allowed their employees to get that information were negligent.

Re:

[mishehu]

Sure you do if their policies are what led to this being unnecessarily possible. Why do the call centers need access to the full social security number? Why not the first two and last two digits or something like that? Surely these weren't the sales call centers - Americans in general tend to not like speaking to sales people with accents.

Re:

[mcl630]

That's what I want to know. Why on earth does do call centers even have access to the full SSN? I could understand the last four digits, as that's oftened used to verify the identity of the caller, but there's just no reason I can see that they would need the full number.

Re:

[Stan92057]

I don't mind accents, i mind accent i cant understand big diffidence.

Re:

[Anonymous Coward]

I answer calls in a center under contract to AT&T. I doubt this will have any effect on which countries AT&T has call centers, but I suspect that the other employees in the centers where the breaches occurred are ready to lynch the criminals who have cost them their jobs. Luckily, my center was not involved in the thefts. In the wake of these incidents, we have been prohibited from having any kind of recording device at our stations. This includes paper, cell phones, thumb drives, and e-mail.

Re:

[Anonymous Coward]

AT&T didn't sell the info (the title of the article is false.) It was some people that were employed by their call centers that were engaged in the crime. You don't punish a company for hiring somebody who turns out to be a criminal.

As usual, corporations are people right up until it's inconvenient, then they're an organization and can't be treated the same way as people are.

Re:

[BronsCon]

Well, yes, AT&T is also a common carrier so they can avoid liability for the data they transmit, but not a common carrier so they can throttle. Why would they play the corporation card any differently? They're also expanding their DSL network to cover everyone in the US so they can get government money to do it, but they're not expanding to rural areas because it's too expensive. Oh, and they're a utility provider of telephone services (POTS) so they can get government money to maintain the copper netwo

Re:

[aardvarkjoe]

As usual, corporations are people right up until it's inconvenient, then they're an organization and can't be treated the same way as people are.

This has nothing to do with corporations. if you, as a private citizen, hire somebody to do a job, and they then commit a crime using your property, you will not be held responsible for that crime unless it turns out that you were complicit or negligent. AT&T should be held to exactly the same standard.

Re:

[Anne Thwacks]

In this particular case, its pretty clear they were negligent. However, the fine was minscule in terms of impact on the company compared to the fine that would have been imposed on an individual for (say) jay walking.

Re:

[SeaFox]

1. Only $25M for that egregious violation??

AT&T didn't sell the info (the title of the article is false.) It was some people that were employed by their call centers that were engaged in the crime. You don't punish a company for hiring somebody who turns out to be a criminal.

Yeah you do.

I, as the end consumer, have no control over who AT&T outsources too.
By hiring this outsourcer and giving them access my account, AT&T is giving their stamp of approval for this company to act on their behalf and be, for all intents and purposes, AT&T as far as the end customer is concerned. They are backing up the reputation of this company and quality of their work with their own brand identity.

It's like if a buy a car and the automaker has issues from a part failing. It's ultimate

Re:

[aardvarkjoe]

By hiring this outsourcer and giving them access my account, AT&T is giving their stamp of approval for this company to act on their behalf and be, for all intents and purposes, AT&T as far as the end customer is concerned. They are backing up the reputation of this company and quality of their work with their own brand identity.

It is a terrible idea to make an employer responsible for everything an employee does. It is the responsibility of the employer to have a level of diligence to protect their customers, through policies and actions, but that doesn't mean that they can predict and control everything that a human being will do.

The fact that a $25 million fine was imposed says that the government believed that the appropriate level of diligence was not taken, but I see nothing to suggest that the negligence was great enough to

Re:

[Anne Thwacks]

It is a terrible idea to make an employer responsible for everything an employee does.

No, in most of the world, including the Mafia that is how life is. That is what company directors are paid for. They have the responsibility to see that these things cant and don't happen. In this case, they took no steps whatever to protect their customers private data which they had no legitimate reason to keep.

A more reasonable approach to the crime would have been to determine that (a) the data protection law was

Re:

[Lunix Nutcase]

1. Only $25M for that egregious violation??

2. And that is the *LARGEST* penalty ever????

Token penalties like that are equivalent to declaring a free-for-all-big-corps.

Yeah it's basically .018 cents per dollar revenue and .4 cents per dollar of net income. AT&T must be smarting!

Re:

[jd2112]

1. Only $25M for that egregious violation??

2. And that is the *LARGEST* penalty ever????

Token penalties like that are equivalent to declaring a free-for-all-big-corps.

Yeah it's basically .018 cents per dollar revenue and .4 cents per dollar of net income. AT&T must be smarting!

AT&T to employees: STOP RIPPING OFF OUR CUSTOMERS!!!! That's OUR job!

Re:

[Stan92057]

As long as politicians have to suck the Corporate Tit for campaign money nothing will change.

So... AT&T Call Centers sold customer info...

[Jax Omen]

to AT&T? And maybe Verizon/Comcast?

I can't think of anyone more criminal.

No way!

[Anonymous Coward]

But but but that will never happen! The government and companies are responsible with our data!
Who cares about you? Why are you so special? lol you're paranoid

That's new

[T.E.D.]

That's a switch...usually they just give that information away for free to criminals.

This isn't an improvement for customers, but at least its better for stockholders.

Time for Proportional Fines

[Jahoda]

It is time to adopt a system similar to Finland, where fines for infractions such as speeding is proportional to income and ability to pay. For AT&T to pay $25 million for this kind of ridiculous breach in security is outrageous. Exactly what economic incentive does AT&T have to change their ways or improve security? If you answered "None. Zero. zip. Zilch.", you win the prize!

Re:

[gnasher719]

It is time to adopt a system similar to Finland, where fines for infractions such as speeding is proportional to income and ability to pay. For AT&T to pay $25 million for this kind of ridiculous breach in security is outrageous. Exactly what economic incentive does AT&T have to change their ways or improve security? If you answered "None. Zero. zip. Zilch.", you win the prize

You read an article on Slashdot and didn't understand it.

Bill Gates has tenthousand times more money than I have. That doesn't mean he eats tenthousand times more, drinks tenthousand times more, and will speed tenthousand times more often than I do. To influence his individual behaviour, you'd have to give him a bigger fine for one violation.

A big company might have a fleet of 10,000 cars. If their drivers behave exactly as good or as bad as I do, they will get 10,000 times as many speeding tickets th

Re:Time for Proportional Fines

[Daetrin]

You read a post on Slashdot and you didn't understand it.

The proposal is not that if a person commits a crime and pays X amount for it then if a company commits the same crime they should pay X multiplied by the difference in their income, which is what you're arguing against in your example of speeding tickets.

This is in relation to the kinds of crimes that (generally) companies commit, and is arguing that if a large company commits that crime then it should pay a larger fine than if a smaller company commits the same crime.

It is possible that the scale of the crime has been included in the size of the fee, but if so it's a pretty ridiculous standard to begin with. "Hundreds of thousands of customer records" is pretty vague, but let's assume records for 250,000 people. That means a fine of $100 a person. That's not nothing, but it doesn't really cover the potential damage they may have caused. And furthermore in this case, although we are presuming the employees did not sell the data as part of a corporate directive, the fact that they were able to do so indicates some pretty serious lack of oversight and security, and some portion of the fee ought to be related to that. And _that_ part of the fee ought to reflect the size of the company involved.

$25 million could easily bankrupt a small company, but AT&T will hardly notice it amidst the yearly revenue of $132 billion and net income of over $6 billion. So the fine works out to about 0.4% of their yearly profit. In 2011 the average American household had $12,800 of discretionary income available [experian.com], about the best equivalent to corporate profit i can think of. In which case if an average American committed the same crime the "expected" fee would be $51.20. That's not even a speeding ticket, that's about a parking ticket level of fine.

Re:

[towermac]

Worst idea ever. Seems like equality under the law is a concept that has gotten lost.

And as the guy above said; AT&T didn't do this. Criminals that lied and got a job with them under false pretenses did this.

I'm IT in a company that accepts credit card payments. I might could make off with the whole list with nobody noticing. Our salespeople have even more direct contact with customers cc info, somewhat similar to AT&Ts probably. They wouldn't even have to steal anything; the cc info is given to the

Re:

[Required Snark]

Proportional fines could work. Don't make the fine proportional to the size of the company, make it proportional to the number of records leaked. And use progressive sliding scales. Score the damage for each leaked record based on the exposure of the individual. So 1 point for birth date and 10 points for Social Security number and birth date, because the combination enables identity theft. If the leak is under say, 100000 it's less per record then if it over a million. Publish the rules ahead of time.

Of c

oh

[slashmydots]

So they sold them back to AT&T they're saying?

So....

[roc97007]

How's that "best shore" strategy working out for ya?

Data protection laws lacking

[LessThanObvious]

I have long felt that companies should legally have to disclose if not, get consent to share your personal information outside your home country. I don't say this because people in other countries are any less trustworthy. My reasoning is that a person has more ability to control their risk exposure and be provided with known forms of legal recourse when their information isn't unknowingly shared or transmitted outside their own country. I've never been comfortable with the idea that when I call into a call

Re:

[Agripa]

Consent will just become another paragraph of boilerplate in the contract you agree to for service.

Aha

[tekrat]

That explains the increase I just saw in my bill. An extra $15... they are already trying to squeeze their customers to pay for the fine.

Re:

[T.E.D.]

That explains the increase I just saw in my bill. An extra $15... they are already trying to squeeze their customers to pay for the fine.

I bet that came as a line item on the bill, saying something like "government fees". So not only do they pass the cost on to customers, they try to blame them for it as well.

So,

[Anonymous Coward]

To whom will they pay the fine? The FCC?
They should divide the $25M (or at least a very high % of it) and pay it to the "hundreds" of people that were actually affected.

Galling

[lq_x_pl]

From TFA:
"AT&T has “no reason to believe” that the stolen customer records were used for identity theft or financial fraud, the company said in a statement."
"AT&T has “no reason to believe” that the stolen customer records have been used for identity theft or financial fraud yet, the company said in a statement."
[ftfTFA] It is at times like these that I feel like we should be telling companies to take a hike when they require information like SSNs to sign up for an account.

Outsourcing has its pitfalls

[Anonymous Coward]

I wonder if this was discussed at the meetings when they calculated the savings of outsourcing the work and that outsourcing being offshore. I guess they don't teach that at business schools. Ideally these people would not have access to this data to even sell but again, the risks were considered and they took a chance at a savings instead.

At least Cisco was able to get the federal government (FBI/CIA) to pay the bill, police the situation, and mitigate the risks of their outsourcing problems when they no

Why SSN

[tomhath]

Why would a phone company (or any other non-government entity) even think about asking for a social security number? I was offered almost $100 off a purchase last summer if I signed up for a store's credit card, but they absolutely insisted that I had to give them my SSN, so I turned down their generous offer and won't ever go back there. Stupid, stupid, stupid.

Oblig.

[RyoShin]

But we already knew they were selling data to the government.

*badum tish*

$25 million for two characters (one broKen)

[epine]

Apple imposes a $50 million fine for leaks, GT Advanced reveals [digitalspy.com]

Perhaps LG is now facing more of the same, for leaking two whole characters: "8K".

What I'm hoping is that LG pushes back, and when it goes to court LG successfully argues they didn't tip any technical parameters about a forthcoming Apple product, because "K" doesn't mean 1000, and "K" doesn't mean 1024, and in fact doesn't mean any number at all, contrary to what the Apple marketing people apparently think.

Who comitted the crime, who pays the fine

[kenh]

Employees at three call centers in Mexico, Colombia and the Philippines sold hundreds of thousands of AT&T customer records, including names and Social Security numbers

So a couple low-level workers go all Snowden/Manning and steal company data and sell it on the open market, and their employer is stuck with a $25M fine... Seems fair.

to criminals?

[hherb]

They sold it to criminals? Is that like to other phone companies or especially ISPs? Or merely to the NSA?

Look At The Countries

[Toad-san]

All three or notorious for corruption .. in everything! Why should we be surprised that AT&T call centers are vulnerable to corrupt employees?