As a result, AT&T will settle with the Federal Communication Commission for $25 million, the largest privacy- and data-security initiative in the Commission’s history.
At play are a number of scams, all centered around one practice. They relied on AT&T’s program of locking many customers’ phones from being used by other carriers, but allowing those phones to be unlocked provided the person holding the phone could input an unlock code.
Those codes are easily available on AT&T’s website for visitors who can input a given customer’s phone number, full name, last four digits of a Social Security number, and phone’s unique IMEI number.
The scam, according to a senior FCC official, was pretty straightforward. AT&T subcontracts out some of its customer service to third-party companies in Mexico, Colombia, and the Philippines. Criminals would contact individuals who worked for those companies and provide them with a phone’s IMEI and phone numbers—often readily available just by looking at a stolen phone—and ask those contracted employees to fill in customers’ names and partial Social Security numbers.
The FCC official was unsure if the stolen information was used for other purposes.
With those generated codes, phone thieves could easily turn a stolen AT&T phone into one that works on any carrier.
The FCC official gave the most details about the scam in Mexico, where some of that stolen personal information was sold off to a group known as “El Pelon,” or “The Fear.” Over a roughly six-month period ending in the spring of 2014, three employees in an AT&T-contracted call center in Mexico sold information on 68,000 accounts without those customers’ authorization. Because inputting customer information can provide someone with up to five AT&T unlock codes, the FCC said those three employees alone led to 290,803 phone unlocking requests.
It’s unclear how many of those were actually used to unlock stolen phones, though, or if those call centers also worked with other American phone providers. The FCC declined to name those companies.
The Philippines and Colombia call centers totalled at least 211,000 recent customer account breaches, the FCC said in a press release.
Correction: The original headline incorrectly stated the number of AT&T customers affected. Nearly 280,000 customers were affected by the scams, according to the FCC.
Illustration by Fernando Alfonso III