Nearly 280,000 AT&T customers had their personal data stolen by scammers, including the last four digits of social security numbers and other identifying information. The huge breach happened when at least three AT&T employees at a Mexico-based call center sold customer data to scammers.


The breach went down from November 2013 to April 2014, lasting 168 days. That’s an absurdly long time for AT&T not to notice a scam of this scale. The Federal Communications Commission is now making the telecom company pay for its lax security, to the steep tune of $25 million. AT&T also has to revamp its security policies (ya think?) and hire a compliance manager.

The scammers apparently wanted customer data so they could unlock AT&T devices. AT&T will “unlock” a device so it can be used with other carriers, as long as a customer makes an unlocking request online. But to make the request, you need certain customer information, like the last four digits of your social security number.


Locked phones are useless on another network, so the thieves wanted as much data as possible to make the stolen phones worth it. AT&T gives up to five unlocking requests per customer, so the breach gave thieves five opportunities to unlock stolen phones for each stolen customer profile.

AT&T ended up shutting down its Mexican call center, but that’s a pretty lackluster response to the problem. And it didn’t work— in March 2015, AT&T admitted that it was investigating similar instances in the Philippines and Colombia, and has tallied an additional 211,000 accounts breached.

Update, 4/9, 9:00 a.m. ET: “Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information,” an AT&T spokesperson told Gizmodo in a statement. [FCC via Daily Dot]

Image via Shutterstock / Getty

Contact the author at kate.knibbs@gizmodo.com .

Public PGP key

PGP fingerprint: FF8F 0D7A AB19 6D71 C967 9576 8C12 9478 EE07 10C