SAN ANTONIO – AT&T filed suit Wednesday to identify 25 data brokers who it claims fraudulently obtained phone-calling records for about 2,500 customers without their approval.
AT&T Inc. said the data brokers posed as customers to get the records, which are often used in legal or domestic disputes.
The lawsuit, filed in San Antonio's federal court by the services unit of AT&T, does not name the defendants. The phone company said the lawsuit would give it legal standing to identify the data brokers through e-mail and Internet Protocol addresses.
Once the names are known, AT&T said it would seek an injunction to bar them from further tapping phone records. It also said it would seek damages, including the return of any profit from selling customer information.
San Antonio-based AT&T said the data brokers did not obtain Social Security numbers, driver's license numbers or financial or credit information.
Priscilla Hill-Ardoin, AT&T's chief privacy officer, said a company investigation identified about 2,500 customers whose records may have been obtained by data brokers. The customers have been notified and access to their online accounts has been frozen, the company said.
AT&T said data brokers posed as customers to get confidential information that they then used to set up unauthorized online accounts, which gives them access to recent calling records and other information.
AT&T spokesman Michael Coe said this is the company's first lawsuit related to data brokers.
"The fact that any activity was going on, we not only wanted to close the account and notify our customers ... (but also) go after the people who were perpetrating this fraud against our customers," Coe said.
The company said it has taken steps to prevent data brokers from getting customer information, although it did not provide any details.
While AT&T is the plaintiff in the latest case, it remains a defendant in a privacy lawsuit in San Francisco federal court over its alleged participation in the Bush administration's warrantless domestic spying program. In that suit, the Electronic Frontier Foundation accused AT&T of illegally making communications on its networks available to the government.
While there are thousands of places to buy records, most can be tracked back to a fairly small number of data brokers who actually extract customer information, said Rob Douglas, CEO of PrivacyToday.com and an information security consultant who has testified before Congress on the issue.
"The people who are actually doing this is a relatively finite number ... at most a couple dozen across the country," Douglas said from Steamboat Springs, Colo.
Douglas said those seeking information like phone records could include soon-to-be ex-spouses in the midst of a divorce proceeding, competing businesses and corporations, stalkers and law enforcement.
Douglas said "pretexting" — where a data broker poses as the customer to get information — is most commonly done by phone in calls to customer service centers or the victims themselves.
The Federal Communications Commission is looking at how "to further protect the privacy of customer proprietary network information that is collected and held by telecommunications carriers," according to a February statement.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the telephone industry also needs stronger security standards. He said it's often too easy to create online accounts and that password protections can be inadequate.
"There are a number of things we felt they (phone companies) could do to better protect information," Rotenberg said, who also said he was glad AT&T planned to pursue the data brokers.