AT&T has received a $25 million fine from the FCC for breaching customer information in an operation to obtain unlock codes for mobile devices. Through a six month duration between November 2013 and April 2014, the second largest carrier in the United States had offshore centers access and take customer information. AT&T did not know of the breach, but assumes the responsibility under regulations.
Centers located away from the United States in Mexico, Colombia, and the Philippines breached customer data and accessed social security numbers and other data about user accounts, the aim was to sell it to third parties, which was achieved. More than 280,000 customers in the US had their records breached and released during the attack.
So far only AT&T employees are implicated; it is not thought that the companies running the call centers have affiliates with other carriers. AT&T says three employees in Mexico and 40 in the other locations accessed names, telephone numbers, and the last four digits of social security numbers. The company says the access may well have gone deeper than that in some cases.
The data was then sent to third parties for a fee, with those parties using the information to get unlock codes for devices running AT&T's network. The FCC caught onto the breach in Mexico and through the investigation found further instances in Colombia and the Philippines. AT&T is responsible for the breach due to Customer Proprietary Network Information (CPNI).