AT&T has agreed to pay US$25 million in fines after two employees at its call center in Mexico confessed to accessing customers’ information and reselling it to strangers. Analysts say this is the largest fine ever issued by the U.S. telecom regulator for data security and privacy violations.
The settlement comes amid intense federal investigation into AT&T’s call centers in Mexico, Colombia and the Philippines. Neither the FCC nor AT&T has disclosed the name of the vendor that ran the call center on behalf of the telecom operator.
“This puts outsourcers under a lot of pressure,” said Peter Ryan, Lead Analyst with research firm Ovum, adding that data security is the big issue on the minds of both buyers and service providers.
“This is a drawback for the call center industry in Mexico, Colombia, Central America and also the Caribbean,” Ryan told Nearshore Americas.
Chief Global Strategy Officer for KM² Solutions, Maggi Williams does not think that nearshore operations are any more vulnerable to such scams than anywhere else. “The nefarious fiddler and thief is likely to pop anywhere and find the hole in the process that enables him or her. Sounds as though knowledge of this particular hole was pretty well spread around,” she said.
Globally call center data breaches and fraud are nothing new, but the settlement highlights the vulnerability of such centers. According to research by Pindrop Security, an Atlanta-based “phoneprinting” start-up, one in 2,900 calls to contact centers are attempts at identity theft. Pindrop’s researchers examined 105 million phone calls and looked at how fraudsters conned call agents.
The threat of insider collusion with fraudsters as in the case of AT&T employees selling data makes preventing such fraud even more difficult as they are able to access the stored data relevant to the customer. According to the Federal Communications Commission (FCC), the two AT&T employees disclosed personal details of almost 280,000 U.S. customers, including “full or partial” Social Security numbers.
This came to light in May last year when the FCC began investigating the suspected data breach at AT&T’s Mexico call center, which handles calls from Spanish-speaking U.S. customers. Who tipped off the FCC? Ryan said, “it’s anybody’s guess. I think some employees at the call center informed the U.S. regulator.”
The investigation found that employees accessed protected account-related data, known as customer proprietary network information (CPNI), and obtained other personal information that customer care agents ask for before unlocking a customer’s mobile phone. The employees then sold that information to “unauthorized third parties” who allegedly peddle stolen cell phones or secondary market phones and also try unlocking such devices.
According to Ryan, “There has not been a significant issue around bribery historically, but we have had some anecdotal evidence of gang activity popping up in call centers in some Central American countries.”
To prevent such breaches, Ryan said call center operators have to check the criminal background of every new recruit to make sure that they have good credit rating. “When it comes to securing internal processes, they have to put in place a system that will lock the computers whenever managers find something suspicious. They even need to make sure that there are no personal devices on the floor, including pen and paper.”
Williams echoed Ryan’s comments, adding that she was “surprised that the service provider had such lax security protocols that this particular breach was able to go on so long and not become scuttlebutt in the call center.”
She said: “If you look at all of the things we try to do in terms of monitoring of agents, not having cell phones on the floor, no pen and paper, the industry tries to prevent this type of thing. Obviously people do find ways around it.”
Ryan said his firm recently conducted a survey during which they asked enterprises what qualities they look for when choosing outsourcer. Data security and fraud prevention appeared to be the second important factors for them, he said. “The security of clients’ data is absolutely top of mind for nearshore providers,” Williams added.
As part of the settlement, AT&T must put in place robust internal processes to prevent future breaches and notify customers if and when their personal details are stolen.
FCC Chairman Tom Wheeler stated that “the agency cannot and will not stand idly by” when a carrier’s lax data security practices expose the personal information of hundreds of thousands of Americans. He went on to say that the agency will punish every phone company that fails to safeguard the personal information of customers.
Travis LeBlanc, Chief of the Enforcement Bureau, stated that the regulator will make sure that all phone companies properly secure customer data and promptly notify customers when their personal data has been breached.