AT&T will pay a $550,000 settlement to end an investigation into its handling of customers' telephone information.
The company recently agreed to pay the money on behalf of SBC, which acquired AT&T and adopted its name. The companies cooperated with the enforcement bureau of the Federal Communications Commission during an investigation into whether customer confidentiality was breached. The payment, due within 30 days, does not constitute an admission of wrongdoing, according to language in the agreement.
The company agreed to supervision and review of its opt-out processes for releasing proprietary customer network information (CPNI). The company also agreed to monitor customer complaints and identify violations of the FCC's opt-out rules.
The Electronic Privacy Information Center claimed it prompted the investigation when it submitted a petition to the FCC, but AT&T said the failures were self-reported. EPIC had been arguing for strengthened security and authentication standards for accessing customer phone records, including call histories, subscribers' unlisted phone numbers and other personal information obtained by online information brokers.
In the petition, EPIC pointed out that online brokers advertise their ability to obtain the information without account holders' knowledge and consent, that the information is gained in hours (indicating it could not have been obtained legally) and that carriers are not careful enough about validating the identity of the person requesting the information. EPIC suggested that carriers were not doing their part to prevent pretexting, the practice of assuming an identity to obtain personal information from an account holder.
AT&T said that the company made errors relating to sharing of information with its own internal marketers, not outside entities. The company claimed it discovered the issue, corrected it, reported it and took steps to ensure that it does not recur.