AT&T, Sprint, T-Mobile and Verizon fined nearly $200m for data protection failures

Largest wireless carriers in US found illegally sharing access to customers’ location data.

AT&T, Sprint, T-Mobile and Verizon – the largest wireless carriers in the US, have been fined close to $200m by the Federal Communications Commission (FCC) for illegally sharing access to customers’ location data without their consent. They were also found not to be taking sufficient measures to protect the data against unauthorized disclosure.

AT&T was fined more than $57m, and Verizon almost $47m. Sprint and T-Mobile, which have merged since the investigation began, were fined more than $12m and over $80m, respectively.

“The largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors,” said FCC Chairwoman Jessica Rosenworcel.

“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.”

Location disclosed to a sheriff

The issues and legal concerns were first highlighted in 2018, stemming from a public letter. In its investigation, the agency found that each company sold access to their customers’ location data to “aggregators,” who then resold the access to the information to third-party location-based service providers.

By doing so, the FCC said that each carrier tried to “offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained.”

“Our communications providers have access to some of the most sensitive information about us.”

FCC Chairwoman Jessica Rosenworcel

It was also revealed that information about customers’ location was disclosed – without consent or other legal authorization – to a Missouri sheriff. Through a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, the sheriff was able to track the location of numerous individuals.

Failures continued

The failure then escalated when the company continued to sell the access to customer information even though it had become aware that its safeguards were ineffective, and failed to take adequate measures to protect the information from unauthorized access.

“The protection and use of sensitive personal data such as location information is sacrosanct,” said Loyaan A Egal, Chief of the FCC Enforcement Bureau and Chair of its Privacy and Data Protection Task Force.

“When placed in the wrong hands or used for nefarious purposes, it puts all of us at risk. Foreign adversaries and cybercriminals have prioritized getting their hands on this information, and that is why ensuring service providers have reasonable protections in place to safeguard customer location data and valid consent for its use is of the highest priority for the Enforcement Bureau.”

By law, including section 222 of the Communications Act, carriers must to take proper measures to protect certain customer information, such as location. Carriers are also required to uphold confidentiality of such information and have customer consent before using, disclosing, or allowing access to such information. These obligations continue to apply when the data is shared with third parties.