The Federal Communications Commission is settling for $25 million with AT&T over a large-scale data breach that affected about 280,000 people in 2013 and 2014. Employees at call centers in Mexico, Colombia, and the Philippines leaked names, Social Security numbers, and account information, which they then used to get cellphone unlock codes that they could in turn sell to handset traffickers.
The FCC, which began investigating the AT&T breach in May, says the $25 million settlement is its largest cybersecurity fine to date. “As today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers,” said FCC Chairman Tom Wheeler in a statement.
AT&T said in its (far less triumphant) statement, “We are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations.” The company says it has been working consistently to inform customers whose data was compromised.
As part of the settlement, AT&T will pay the fine within 30 days and will have to offer free credit monitoring to all customers who were affected. And since the FCC’s investigation into the incident is still ongoing, it’s possible that the agency will identify other impacted customers.
The crazy thing is that so many awful breaches have happened since this one that it’s barely memorable.