AT&T After ‘John Doe’ Data Brokers


AT&T opened a new line of legal attack Wednesday on data brokers selling
unauthorized telephone records over the Internet.


In a lawsuit filed in San Antonio, Texas, the company sued 25 “John Doe” defendants it claims used fraudulent means to gain access to confidential
customer information.


AT&T’s suit seeks an immediate injunction to halt the unauthorized parties
from accessing customer information or sharing it with any third party.


AT&T is also seeking the return of any confidential customer information in
possession of the data brokers, return of any profits gained in selling the
data and monetary damages.


Verizon, Cingular and Sprint Nextel have filed similar suits in the
past, but they all named specific data brokers.


AT&T’s lawsuit, on the other hand, aims to provide the company with the
legal process to use e-mail and IP addresses to identify
those who use illegal means to gain access to AT&T’s phone records.


“We’re taking this action on behalf of our customers,” Priscilla
Hill-Ardoin, chief privacy officer for AT&T, said in a statement.

“We intend
to vigorously pursue these individuals who, through fraud, have attempted to
obtain unauthorized access to customer information.”


Hill-Ardoin said an AT&T internal investigation identified about 2,500
customers as possible victims of the John Doe data brokers.

Social Security
numbers, driver’s license numbers or other sensitive financial data were not
disclosed, but AT&T said the brokers gained access to personal call records.


AT&T notified the affected customers and froze access to their online accounts.


“This affects only a tiny fraction of our customers,” Hill-Ardoin said. “But
we will pursue this on behalf of our customers to the end.”


Under the Telecommunications Act of 1996, telephone carriers are obligated
to protect the Consumer Proprietary Network Information (CPNI) of all
customers.

The CPNI is considered sensitive personal data since it includes
logs of calls that individuals or businesses initiate and receive on their
phones.


Last year, though, the Electronic Privacy Information Center (EPIC) petitioned
the Federal Communications Commission (FCC) to investigate the apparent widespread sale of CPNI data over the Internet.


“Data brokers and private investigators are taking advantage of inadequate
security through pretexting, the practice of pretending to have authority to
access protected records,” FCC states.


The EPIC petition prompted the FCC to move against the data brokers selling
the unauthorized data. And it prompted Congress to introduce a spate of legislation aimed at stopping the practice.


In July, the FCC fined
LocateCell (also doing business as First Data Solutions, of Knoxville,
Tenn., and 1st Source Information Specialists, of Tamarac, Fla.) $97,500 for
failing to respond to a subpoena request.


The previous month, 11 data brokers identified by the House Energy and
Commerce Committee as selling unauthorized phone data took the Fifth Amendment when asked to name the source of the data they are selling.


In March, the House Judiciary Committee approved on a 41-0 vote the Prevention of Fraudulent Access to Phone Records Act,
criminalizing the fraudulent sale or solicitation of confidential phone
records.


The bill carries a maximum penalty of 20 years in prison for pretexters and
imposes maximum five-year jail terms on Web sites selling or transferring
confidential phone records without authorization.


Individuals buying the records would also face possible prison time of up to
five years.


The legislation authorizes the Federal Trade Commission and the FCC to shut
down data broker sites selling non-public information.


The legislation is awaiting a full House vote. Similar bills are pending in
the Senate.


“We’re encouraged that both federal and state legislators are taking a close
look at specifically criminalizing this sort of fraud related to calling
records,” Hill-Ardoin said.

News Around the Web