From LA Times:
AT&T Inc. has agreed to pay $25 million to settle an investigation into data breaches at call centers in Mexico, Colombia and the Philippines that led to the disclosure of personal information of about 280,000 U.S. customers, federal regulators said Wednesday.
Employees at the call centers were paid for the information by people, including a mysterious man in Mexico known only as El Pelon, who appear to have been using it to unlock stolen cellphones, the Federal Communications Commission said.
The call centers, which were operated by third parties, handled calls from U.S. customers, the FCC said. The data breaches began in 2013 and continued into last year.
“Lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans”
The settlement is the largest ever by the agency in a privacy case.
“As the nation’s expert agency on communications networks, the commission cannot — and will not — stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler.
Because of state laws, AT&T customers in California and Vermont previously had been notified that their personal information was improperly disclosed in the breach.
However, other customers were unaware of the problem. Under the settlement, AT&T must notify them and pay for credit monitoring services as well as improve the company’s data security practices, the FCC said.
AT&T said it was reaching out to affected customers.
“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard,” the company said in a statement. “Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate.”