Earlier this week, the Federal Communications Commission (@FCC) hit AT&T with a $25 million fine for data security breaches. The fine was the largest ever levied by the FCC as part of a data security action.
According to the Washington Post, the breaches occurred in AT&T’s foreign call centers in Mexico, Colombia and the Philippines and resulted in the exposure of “hundreds of thousands of customer records, including names, phone numbers and some Social Security numbers.” (Source: Washington Post, “AT&T will pay $25 million after call-center workers sold customer data,” April 8, 2015).
“As many as 279,000 AT&T customers may have been affected by the unauthorized leaks, regulators said. Those customers will receive free credit monitoring as part of the official settlement. The agreement also requires at AT&T to appoint a privacy official who will review the company’s policies and strengthen its security.” (emphasis added).
The fine is not only an indicator of the mounting and increasing costs associated with data breaches, but also a reminder of how vendors constitute a significant data security exposure: three AT&T contractors improperly used 68,000 customer records to request more than 290,000 unlock codes from AT&T.
Despite the fact that the FCC fine was the largest in its history for a data security breach, some experts called the fine inadequate. Chris Conacher, director of security research and development at cybersecurity vendor Tripwire (@TripwireInc), said the fine amounted to a “slap on the wrist” for AT&T. (Source: Computerworld, “AT&T’s data breach settlement called a ‘slap on the wrist’,” April 9, 2015).
AT&T reported revenue of $34.4 billion for the fourth quarter of 2014, alone.
It is likely that AT&T won’t feel much of an impact from this fine; however, for companies without the carrier’s vast reach, resources or balance sheet, the FCC fine is a stark reminder that data security breaches do come with a cost, and that companies would do well to sure up their defenses and choose their partners wisely when it comes to protecting their information and that of their customers.