Don’t call us. We’ll call you. And steal your data.

AT&T image of data theftWhile the EU General Data Protection Regulation (GDPR) requirements have yet to be finalised, 20 years of European jurisprudence is a strong indication of the direction of travel where the supervisory authorities are going to clamp down hard on those organisations and their outsourcing providers that violate the new minimum standards for data protection.

And if you’re in any doubt how hard this will impact the telecoms sector, then you should look no further than what’s just happened to AT&T earlier this week in the US to get a taste of what we can expect to see here in the EU in the wake of the GDPR.

The US Federal Communications Commission (FCC) reached a settlement with the telecoms giant AT&T to pay close to $25m for a series of consumer data privacy violations following an investigation where in excess of 280,000 customers’ data records were illegally accessed and stolen by employees working at AT&T Call Centres in Mexico, Colombia and the Philippines.

To put that into context, the fine equates to around $90 per data record that was breached.

AT&T customer data was used to request unlock codes for AT&T handsets and this data was then provided to unauthorized “third parties” dealing in stolen and “secondary market” handsets.

Such practices may have escaped detection for years and not just within AT&T but across the telecoms sector as it’s highly unlikely to have been an isolated incident.

The FCC has taken the step to make its investigation and subsequent fine a very public matter so as to send a warning shot to all other telecoms companies and outsourcing providers that such data breaches will be severely punished. And European data protection authorities (DPAs) are studying the details of this case with close interest as they aren’t exactly a push-over when it comes to taking action on such a scale.

“You have to recognise that the sheer amount of data that these companies store and process on a daily basis leaves them extremely vulnerable to data breaches on this type of scale,” comments Professor Bryan Foss, a leading data protection and technology expert and former IBM director.

“It’s very common for organisations the size of AT&T to outsource such activities and related services to outsourcing providers and in doing so a great deal of data protection and security is passed—and quite possibly compromised—through the supply chain to third-party service providers.

“The situation also raises interesting questions as to levels of responsibility, as well as liability with regard to data flows through supply chains, and whether adequate safeguards and privacy compliance measures exist with service partners and vendors across the spectrum of industries. The GDPR squarely places responsibility for such data breaches on the shoulders of data controllers and processors,” adds Professor Bryan Foss.

This issue also reaches well beyond internal compliance policies that many large organisations must now look at in some detail, usually as a result of a data protection impact assessment (DPIA) that should be carried out across the whole organisation rather than simply on a project basis.

“However, this still leaves many other questions unanswered such as how do organisations implement sufficient data traceability measures as well as the levels of protection from the source and entry points to potential exit points through to the end of the supply chain,” observes Professor Bryan Foss.

In its news release, FCC announced:

“AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities…”

In response, AT&T has sought to calm the nerves of its shareholders and investors by releasing the following statement:

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

Should AT&T and other telecoms providers continue to fall below the data protection standards expected of them they can be certain of being subject to severe fines on both sides of the Atlantic.

Leave a reply