Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Call Centers Sold Mobile Customer Information To Criminals

Posted by samzenpus on from the was-that-wrong? dept.

itwbennett writes Employees at three call centers in Mexico, Colombia and the Philippines sold hundreds of thousands of AT&T customer records, including names and Social Security numbers, to criminals who attempted to use the customer information to unlock stolen mobile phones, the U.S. Federal Communications Commission said. AT&T has agreed to pay a $25 million civil penalty, which is the largest related to a data breach and customer privacy in the FCC's history.

6 of 92 comments (clear)

  1. Hand slap, LOL. by Anonymous Coward · · Score: 5, Insightful

    So that's what? 1/500th of a month's revenue for AT&T? Geez, they must be stinging for that hand slap!

    1. Re:Hand slap, LOL. by Dutch+Gun · · Score: 4, Insightful

      When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire? That's ultimately the fatal flaw with giving a company your personal data, even if their carefully crafted, lawyer approved privacy statement has the best of intentions.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Time for Proportional Fines by Jahoda · · Score: 5, Insightful

    It is time to adopt a system similar to Finland, where fines for infractions such as speeding is proportional to income and ability to pay. For AT&T to pay $25 million for this kind of ridiculous breach in security is outrageous. Exactly what economic incentive does AT&T have to change their ways or improve security? If you answered "None. Zero. zip. Zilch.", you win the prize!

    1. Re:Time for Proportional Fines by Daetrin · · Score: 4, Insightful

      You read a post on Slashdot and you didn't understand it.

      The proposal is not that if a person commits a crime and pays X amount for it then if a company commits the same crime they should pay X multiplied by the difference in their income, which is what you're arguing against in your example of speeding tickets.

      This is in relation to the kinds of crimes that (generally) companies commit, and is arguing that if a large company commits that crime then it should pay a larger fine than if a smaller company commits the same crime.

      It is possible that the scale of the crime has been included in the size of the fee, but if so it's a pretty ridiculous standard to begin with. "Hundreds of thousands of customer records" is pretty vague, but let's assume records for 250,000 people. That means a fine of $100 a person. That's not nothing, but it doesn't really cover the potential damage they may have caused. And furthermore in this case, although we are presuming the employees did not sell the data as part of a corporate directive, the fact that they were able to do so indicates some pretty serious lack of oversight and security, and some portion of the fee ought to be related to that. And _that_ part of the fee ought to reflect the size of the company involved.

      $25 million could easily bankrupt a small company, but AT&T will hardly notice it amidst the yearly revenue of $132 billion and net income of over $6 billion. So the fine works out to about 0.4% of their yearly profit. In 2011 the average American household had $12,800 of discretionary income available, about the best equivalent to corporate profit i can think of. In which case if an average American committed the same crime the "expected" fee would be $51.20. That's not even a speeding ticket, that's about a parking ticket level of fine.

      --
      This Space Intentionally Left Blank
  3. RTFA by jklovanc · · Score: 3, Insightful

    they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones.

    AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

    What is your solution?

    By the way, the use of profanity does not strengthen your argument.

    1. Re:RTFA by BronsCon · · Score: 5, Insightful

      AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

      Yes, they allowed the data to be stolen. They didn't put in place anything even resembling reasonable access restrictions, no safeguards to keep the low-level employees who don't need customers' social security numbers and banking information (yes, they have access to that, too; it's amazing that wasn't also stolen, or maybe it was) from accessing that information. In fact, not only did they not prevent said access, they fed them the data, they put it right there in the portal they provide their support reps, where it's on display for the duration of the support call. It's not a matter of incompetent security measures, it's a matter of gross negligence in how they handle customer data and they should bear much more liability for that negligence than one might be expected to bear for incompetence.

      What is your solution?

      Maybe a fine that equates to a liability of more than $100 per person whose data they allowed to be stolen and sold? After all, this trial was about liability, right? And damages? Maybe convincing them to fix the problem? I don't think 0.02% of their annual revenue will do that.

      By the way, the use of profanity does not strengthen your argument.

      Well, I guess it's a good thing my intent was to express frustration, then.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.