Mixed reaction to AT&T’s $25m data breach penalty

A $25m fine by the US Federal Communications Commission on AT&T for data breaches at call centres has received a mixed reaction

A $25m fine imposed on AT&T by the US Federal Communications Commission for data breaches at call centres in Mexico, Colombia and the Philippines has received a mixed reaction from security professionals.

While some say the fine, or settlement agreement, is an incentive to protect personal data, others say the penalty is not nearly big enough for a company like AT&T.

The FCC said at least two call-centre employees had confessed to stealing private information belonging to about 280,000 US customers.

The data, including names, full and partial social security numbers and other account-related information, had been requested by, and sold to, a third party.

According to the New York Times, the data was used to request handset unlock codes for stolen AT&T phones and for secondary market phones that the third party wanted to unlock.

The FCC found out about the breach when AT&T reported it to the California attorney general in April 2014 and sent letters to affected customers notifying them of the breach.

In March 2015, the FCC told AT&T that it would be investigating similar matters at call centers in Bogotá, Colombia and in the Philippines.

Read more about fines for data breaches

The investigations revealed that 40 call-centre staff in Colombia and the Philippines had also obtained customers' names, telephone numbers and at least the last four digits of social security numbers relating to about 211,000 customer accounts.

AT&T claims it has changed its policies and strengthened its operations to prevent this kind of breach happening again.

John Gunn, vice-president of communications at Vasco Data Security International, said the FCC’s action benefits all consumers everywhere.

“When companies are making the economic decision of whether or not to invest in appropriate security measures, penalties such as this provide an extra incentive for them to take the necessary action to protect customers’ information from hackers,” he said.

But despite the fine being the biggest ever imposed by the FCC for data security and privacy violations, Chris Conacher, director of security research and development at Tripwire, said $25m is “not even a slap on the wrist” for a company with an annual advertising budget of more than $1bn.

“If you really want companies to think about security, you need to do something that makes the decision-makers sit up and listen,” he said. “If all you are doing is making tiny deductions against the bottom line, businesses are going to keep on doing what they do and consumers will keep on suffering.”

Craig Young, security researcher at Tripwire, said corporations should be motivated to take cyber security more seriously to protect their customer base and brand reputation.

“But that is not the reality today,” he said. “Many organisations probably view fines as a cost of doing business. As long as the fines are not putting businesses into bankruptcy or serious financial peril for that matter, executives and boards are free to decide they are better off investing the bare minimum in security and saving the rest for possible breach costs and fines.”  

Classic inside threat scenario

Philip Lieberman, president of Los Angeles-based Lieberman Software, said the AT&T data breach was a classic inside threat scenario.

“Most of these go undiscovered and systems remain uncontrolled and unmonitored,” he said. “The cost to implement a control would be one-tenth or vastly less of the cost of the fine and other losses. 

“It would, however, require a change in process, which is generally harder than the purchase of any technology. The C-level staff will have to explain to the board why they did not implement a control when the cost would be trivial. This one goes towards the leadership of the IT team in place.”

Richard Blech, chief executive and co-founder of Secure Channels, blamed the breach on “penny pinching” by AT&T.

“By outsourcing its call centres to foreign countries to save money, AT&T has exposed Americans’ sensitive data to peril,” he said. “If AT&T had simply budgeted for security as a priority and encrypted its customers’ sensitive data, its frugality at hiring outside of the country would still have left Americans’ sensitive data and privacy protected.”

Blech said that if AT&T had used strong encryption, the breach would have left the hackers just with useless bits and bytes.

“Due to AT&T’s careless disregard for its customers and its employees, Americans’ personal data is now afloat in Mexico, Columbia and the Philippines," he said. “The best practice to hack-proof human deception is strong encryption with layered security solutions. Anything less should be a crime."

Under the settlement, AT&T will pay the fine within 30 days and will have to offer free credit monitoring to all affected customers.

The FCC’s investigation into the incident is ongoing, so it may uncover more customers affected by the breach.

Read more on Privacy and data protection