AT&T Data Breach Affects 1,600 Customers
A recent data breach at AT&T is statistically smaller than other recent incidents, but still highlights security implications for the telecom sector, said industry participants in interviews Tuesday. AT&T has begun to notify about 1,600 customers whose information may have been compromised in August during an internal data breach. A now-former AT&T employee apparently violated the telco’s privacy rules and accessed customer information that could include Social Security numbers and driver’s license numbers, along with customer proprietary network information (CPNI), the company said in a form letter posted online by the office of Vermont Attorney General William Sorrell.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
AT&T promised to reverse any fraudulent charges to affected customers’ accounts and said it will pay for one year of opt-in credit monitoring through CSID. The telco also said it notified federal law enforcement agencies in compliance with FCC rules (http://bit.ly/1s3mbnL). An AT&T spokesman confirmed the details of the form letter, saying “we take our customers’ privacy very seriously and value the trust they have in us."
FCC CPNI rules are often overlooked but are “really effective,” making consumers “more protected in this area than they are in any other area” for data breaches, said Public Knowledge Senior Vice President Harold Feld. The rules are particularly effective because they can protect consumers in states with weaker data breach laws, he said. The incident underscores the need for the FCC and FTC to overlap on data breach issues, Feld said. The FTC has been urging Congress to increase its authority to handle data security issues, most recently during a September speech by Commissioner Julie Brill (CD Sept 18 p15).
Feld credited AT&T with responding strongly to the data breach and complying with FCC rules. Cybersecurity and data security were already important to the communications sector, but the FCC’s recent interest in expanding its role in cybersecurity underscores the need for compliance with existing rules, said K&L Gates lawyer Roberta Anderson, whose practice focuses on commercial litigation, cybersecurity and data privacy. AT&T’s compliance with the rules is also important due to its status as a top national telco, she said.
The AT&T breach affected a relatively limited number of customers, but it shows the potential implications if larger breaches occur, Anderson said. “If the purpose of a breach at a company like AT&T is to shut down a system rather than access customer information, you're dealing with potential business interruptions, not just for AT&T but for all of the entities that use them as a service provider.” The FCC is right to focus on improving cybersecurity in the telecom sector, but the AT&T breach “is a reminder not to overlook old-fashioned crime and the need to maintain existing protections,” Feld said. Non-cyber breaches like the AT&T breach can still enable cyberhackers by potentially exposing information that can be used to gain access to networks, he said. “You may have a state-of-the-art security system, but you also need to remember to lock your door.”