According to the FCC’s report, the primary breach was a lengthy operation spanning 168 days at AT&T’s Mexico call center, where three employees illegally accessed nearly 70,000 accounts. What did they want with all this information? Apparently, two of the employees confessed they were selling the data to a shadowy group or person known only as El Pelon, which is apparently slang for “the bald guy,” or slightly more sinisterly, “The Bald One.”
The Bald One, or members of his follicle-challenged gang, went on to use around 50,000 of these records to file 290,000 unlock requests via AT&T’s online system. Presumably, this was to unlock stolen phones ready for use on other networks.
Although the FCC’s investigation specifically details the Mexico breach between November 2013 and April 2014, AT&T had been aware of the situation before and after those dates. In December 2012, an employee at the center was fired for accessing accounts without authorization, and another resigned for a similar reason in January 2013. Neither incidents were classed as breaches by AT&T. In March this year, AT&T told the FBI it was investigating similar data breaches in Colombia and the Philippines.
The $25 million fine is the largest the FCC has handed out to date over security enforcement, and it has also ordered AT&T to appoint a senior data security compliance manager, develop a new compliance plan, and train its employees on privacy policies. The network will also provide a free number for customers to call if they’re concerned about their own data. AT&T stopped using the call center in Mexico during September 2014, and has 30 days to pay the FCC.
