RealTime IT News

AT&T After 'John Doe' Data Brokers

AT&T opened a new line of legal attack Wednesday on data brokers selling unauthorized telephone records over the Internet.

In a lawsuit filed in San Antonio, Texas, the company sued 25 "John Doe" defendants it claims used fraudulent means to gain access to confidential customer information.

AT&T's suit seeks an immediate injunction to halt the unauthorized parties from accessing customer information or sharing it with any third party.

AT&T is also seeking the return of any confidential customer information in possession of the data brokers, return of any profits gained in selling the data and monetary damages.

Verizon, Cingular and Sprint Nextel have filed similar suits in the past, but they all named specific data brokers.

AT&T's lawsuit, on the other hand, aims to provide the company with the legal process to use e-mail and IP addresses to identify those who use illegal means to gain access to AT&T's phone records.

"We're taking this action on behalf of our customers," Priscilla Hill-Ardoin, chief privacy officer for AT&T, said in a statement.

"We intend to vigorously pursue these individuals who, through fraud, have attempted to obtain unauthorized access to customer information."

Hill-Ardoin said an AT&T internal investigation identified about 2,500 customers as possible victims of the John Doe data brokers.

Social Security numbers, driver's license numbers or other sensitive financial data were not disclosed, but AT&T said the brokers gained access to personal call records.

AT&T notified the affected customers and froze access to their online accounts.

"This affects only a tiny fraction of our customers," Hill-Ardoin said. "But we will pursue this on behalf of our customers to the end."

Under the Telecommunications Act of 1996, telephone carriers are obligated to protect the Consumer Proprietary Network Information (CPNI) of all customers.

The CPNI is considered sensitive personal data since it includes logs of calls that individuals or businesses initiate and receive on their phones.

Last year, though, the Electronic Privacy Information Center (EPIC) petitioned the Federal Communications Commission (FCC) to investigate the apparent widespread sale of CPNI data over the Internet.

"Data brokers and private investigators are taking advantage of inadequate security through pretexting, the practice of pretending to have authority to access protected records," FCC states.

The EPIC petition prompted the FCC to move against the data brokers selling the unauthorized data. And it prompted Congress to introduce a spate of legislation aimed at stopping the practice.

In July, the FCC fined LocateCell (also doing business as First Data Solutions, of Knoxville, Tenn., and 1st Source Information Specialists, of Tamarac, Fla.) $97,500 for failing to respond to a subpoena request.

The previous month, 11 data brokers identified by the House Energy and Commerce Committee as selling unauthorized phone data took the Fifth Amendment when asked to name the source of the data they are selling.

In March, the House Judiciary Committee approved on a 41-0 vote the Prevention of Fraudulent Access to Phone Records Act, criminalizing the fraudulent sale or solicitation of confidential phone records.

The bill carries a maximum penalty of 20 years in prison for pretexters and imposes maximum five-year jail terms on Web sites selling or transferring confidential phone records without authorization.

Individuals buying the records would also face possible prison time of up to five years.

The legislation authorizes the Federal Trade Commission and the FCC to shut down data broker sites selling non-public information.

The legislation is awaiting a full House vote. Similar bills are pending in the Senate.

"We're encouraged that both federal and state legislators are taking a close look at specifically criminalizing this sort of fraud related to calling records," Hill-Ardoin said.