AT&T will pay a $25m fine after crooked staff leaked subscribers' personal records to criminals flogging stolen cellphones.
About 40 of telco's employees in its international call centers leafed through the accounts of 280,000 people without permission, pulling up their names, telephone numbers, and at least the last four digits of their social security numbers.
These records were leaked to crime gangs, who fed the information back into AT&T's website to request cellphone unlock codes. These codes free mobiles from the telco's network, allowing stolen handsets to be sold on and used again with another operator.
The jig was up when AT&T detected "a high volume of customer account access" in April 2014, and put an employee suspected of playing a role in the privacy breach through a lie-detector test.
The company alerted the FBI in May that year after examining workers' hard drives. The investigation ultimately led to threats of legal action from US watchdog the FCC against AT&T.
Today, the communications regulator announced AT&T has settled the matter out of court. The FCC said the fine (£16.8m, AU$32.5m) will be the largest-ever penalty to end a consumer privacy probe in America.
According to the settlement's paperwork, AT&T employees in call centers in Mexico, the Philippines, and Columbia improperly accessed more than a quarter of a million customer records between November 2013 and April 2014.
Some of that data – the FCC estimates 51,422 accounts – were used to generate 290,803 handset unlock codes: the names, numbers and social security digits were handed over "to unauthorized third parties who appear to have been trafficking in stolen cellphones or secondary market phones that they wanted to unlock," the watchdog said.
"The Commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” FCC boss Tom Wheeler said in announcing the deal.
"As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."
Though the FCC said the fine will be its largest ever for a data security breach, the $25m payout breaks down to $89.28 per customer record exposed. AT&T reported $132.4bn in total revenues, and $6.2bn in net income, last year, so the fine adds up to about 100 minutes in sales or about 36 hours in profit.
In less time than it takes you to watch The Hangover, a 100-minute flick, AT&T will have pocketed revenues to cover a fine for fumbling the privacy of more than a quarter million people. ®
Sponsored: Webcast: Simplify data protection on AWS