Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Call Centers Sold Mobile Customer Information To Criminals

Posted by samzenpus on from the was-that-wrong? dept.

itwbennett writes Employees at three call centers in Mexico, Colombia and the Philippines sold hundreds of thousands of AT&T customer records, including names and Social Security numbers, to criminals who attempted to use the customer information to unlock stolen mobile phones, the U.S. Federal Communications Commission said. AT&T has agreed to pay a $25 million civil penalty, which is the largest related to a data breach and customer privacy in the FCC's history.

19 of 92 comments (clear)

  1. Hand slap, LOL. by Anonymous Coward · · Score: 5, Insightful

    So that's what? 1/500th of a month's revenue for AT&T? Geez, they must be stinging for that hand slap!

    1. Re:Hand slap, LOL. by Dutch+Gun · · Score: 4, Insightful

      When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire? That's ultimately the fatal flaw with giving a company your personal data, even if their carefully crafted, lawyer approved privacy statement has the best of intentions.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re:Hand slap, LOL. by ShaunC · · Score: 2

      When a company says that they'll protect your data, can they really speak for every one of the employees or contractors they hire?

      Especially when they offshore so much of their workforce in order to pay shit wages. Some guy sitting in a boiler room in Colombia has very little connection to his parent company and is outside the jurisdiction of the US. I'd say that gives him more incentive to steal and sell corporate data, or at least less incentive not to, than a happy US-based employee.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    3. Re:Hand slap, LOL. by BronsCon · · Score: 5, Interesting

      So they won't do this again, they'll do something else, and it'll be the first time they did that. Will just a slap on the wrist be okay, then, too? This isn't the first time AT&T has fucked their customers, that's SPO for them, but let's look at it in as fine-grained of a manner as possible and say "it's okay, just don't do this exact thing again".

      Or, maybe they will do it again but, next time, they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones. Is that different enough to warrant yet another slap on the wrist?

      Wake the fuck up and realize that AT&T, Comcast, and the like will simply adjust their behavior just enough that people like you well say "oh, well that's something different" so they never suffer anything amounting to more than a warning shot across their bow, as they've been doing for decades, until people like you stop accepting it.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    4. Re:Hand slap, LOL. by davester666 · · Score: 2

      OMG. I can't imagine ANY corporation with more than a couple of 'stores', particularly across more than one state, having a privacy statement vetted by lawyers that 'has the best of intentions' for their customers. They all are worded to be "we'll try to make sure we know everyone accessing your private data, but if we don't, there's no penalty".

      --
      Sleep your way to a whiter smile...date a dentist!
    5. Re:Hand slap, LOL. by Anne+Thwacks · · Score: 2

      The directors are very highly paid because of this responsibility. Allegedly.

      --
      Sent from my ASR33 using ASCII
    6. Re:Hand slap, LOL. by l0n3s0m3phr34k · · Score: 2

      When I went to work for AT&T as a CSR, I had to pass a seven year background check that also included driving records. I don't know what cellular provider you go through that has that has a higher level of checks than that, but AT&T just does a credit check on customers as opposed to an actual background check.

      Yet these people were not actual AT&T employees but contractors, so no telling what type of checks are used. This isn't the first time AT&T has had this problem...in 2010 the FBI arrested four people hacking AT&T's PBX systems for Jemaah Islamiyah, who also performed the Mumbai attacks.

  2. Double the Outrage by leftover · · Score: 4, Interesting

    1. Only $25M for that egregious violation??

    2. And that is the *LARGEST* penalty ever????

    Token penalties like that are equivalent to declaring a free-for-all-big-corps.

    --
    Bent, folded, spindled, and mutilated.
    1. Re:Double the Outrage by aardvarkjoe · · Score: 2

      1. Only $25M for that egregious violation??

      AT&T didn't sell the info (the title of the article is false.) It was some people that were employed by their call centers that were engaged in the crime. You don't punish a company for hiring somebody who turns out to be a criminal. All they can be punished for is if the policies that allowed their employees to get that information were negligent.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:Double the Outrage by Lunix+Nutcase · · Score: 2

      1. Only $25M for that egregious violation??

      2. And that is the *LARGEST* penalty ever????

      Token penalties like that are equivalent to declaring a free-for-all-big-corps.

      Yeah it's basically .018 cents per dollar revenue and .4 cents per dollar of net income. AT&T must be smarting!

    3. Re:Double the Outrage by mishehu · · Score: 2

      Sure you do if their policies are what led to this being unnecessarily possible. Why do the call centers need access to the full social security number? Why not the first two and last two digits or something like that? Surely these weren't the sales call centers - Americans in general tend to not like speaking to sales people with accents.

  3. So... AT&T Call Centers sold customer info... by Jax+Omen · · Score: 4, Funny

    to AT&T? And maybe Verizon/Comcast?

    I can't think of anyone more criminal.

  4. Time for Proportional Fines by Jahoda · · Score: 5, Insightful

    It is time to adopt a system similar to Finland, where fines for infractions such as speeding is proportional to income and ability to pay. For AT&T to pay $25 million for this kind of ridiculous breach in security is outrageous. Exactly what economic incentive does AT&T have to change their ways or improve security? If you answered "None. Zero. zip. Zilch.", you win the prize!

    1. Re:Time for Proportional Fines by Daetrin · · Score: 4, Insightful

      You read a post on Slashdot and you didn't understand it.

      The proposal is not that if a person commits a crime and pays X amount for it then if a company commits the same crime they should pay X multiplied by the difference in their income, which is what you're arguing against in your example of speeding tickets.

      This is in relation to the kinds of crimes that (generally) companies commit, and is arguing that if a large company commits that crime then it should pay a larger fine than if a smaller company commits the same crime.

      It is possible that the scale of the crime has been included in the size of the fee, but if so it's a pretty ridiculous standard to begin with. "Hundreds of thousands of customer records" is pretty vague, but let's assume records for 250,000 people. That means a fine of $100 a person. That's not nothing, but it doesn't really cover the potential damage they may have caused. And furthermore in this case, although we are presuming the employees did not sell the data as part of a corporate directive, the fact that they were able to do so indicates some pretty serious lack of oversight and security, and some portion of the fee ought to be related to that. And _that_ part of the fee ought to reflect the size of the company involved.

      $25 million could easily bankrupt a small company, but AT&T will hardly notice it amidst the yearly revenue of $132 billion and net income of over $6 billion. So the fine works out to about 0.4% of their yearly profit. In 2011 the average American household had $12,800 of discretionary income available, about the best equivalent to corporate profit i can think of. In which case if an average American committed the same crime the "expected" fee would be $51.20. That's not even a speeding ticket, that's about a parking ticket level of fine.

      --
      This Space Intentionally Left Blank
  5. Aha by tekrat · · Score: 5, Funny

    That explains the increase I just saw in my bill. An extra $15... they are already trying to squeeze their customers to pay for the fine.

    --
    If telephones are outlawed, then only outlaws will have telephones.
  6. Galling by lq_x_pl · · Score: 2

    From TFA:
    "AT&T has “no reason to believe” that the stolen customer records were used for identity theft or financial fraud, the company said in a statement."
    "AT&T has “no reason to believe” that the stolen customer records have been used for identity theft or financial fraud yet, the company said in a statement."
    [ftfTFA] It is at times like these that I feel like we should be telling companies to take a hike when they require information like SSNs to sign up for an account.

    --
    An internal system operation returned the error "The operation completed successfully.".
  7. RTFA by jklovanc · · Score: 3, Insightful

    they'll sell information to criminals using the information for identity theft instead of unlocking stolen phones.

    AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

    What is your solution?

    By the way, the use of profanity does not strengthen your argument.

    1. Re:RTFA by BronsCon · · Score: 5, Insightful

      AT&T didn't sell the information this time. Some AT&T employees stole the information and sold it. AT&T is being fined for having lax procedures that allowed the original theft.

      Yes, they allowed the data to be stolen. They didn't put in place anything even resembling reasonable access restrictions, no safeguards to keep the low-level employees who don't need customers' social security numbers and banking information (yes, they have access to that, too; it's amazing that wasn't also stolen, or maybe it was) from accessing that information. In fact, not only did they not prevent said access, they fed them the data, they put it right there in the portal they provide their support reps, where it's on display for the duration of the support call. It's not a matter of incompetent security measures, it's a matter of gross negligence in how they handle customer data and they should bear much more liability for that negligence than one might be expected to bear for incompetence.

      What is your solution?

      Maybe a fine that equates to a liability of more than $100 per person whose data they allowed to be stolen and sold? After all, this trial was about liability, right? And damages? Maybe convincing them to fix the problem? I don't think 0.02% of their annual revenue will do that.

      By the way, the use of profanity does not strengthen your argument.

      Well, I guess it's a good thing my intent was to express frustration, then.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:RTFA by BronsCon · · Score: 2

      By the way, this has nothing to do with CPNI

      Paragraph 1 of the consent decree begs to differ.

      The Enforcement Bureau (Bureau) of the Federal Communications Commission (Commission) has entered into a Consent Decree to resolve its investigation into whether AT&T Services, Inc. (AT&T or Company) failed to properly protect the confidentiality of almost 280,000 customers’ proprietary information, including sensitive personal information such as customers’ names and at least the last four digits of their Social Security numbers, as well as account-related data known as customer proprietary network information (CPNI), in connection with data breaches at AT&T call centers in Mexico, Columbia, and the Philippines.

      You seem to be arguing for argument's sake and are conflicting you own arguments in the process. Buh-bye.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.