AT&T and CenturyLink are Being Sued for Exposing Millions of Private Customer Accounts Online

Dismayed customers of both AT&T-owned DirecTV and CenturyLink are now taking action against these companies for failing to protect their information online.

These days, most of the outrage surrounding privacy involves Facebook.  But it turns out that AT&T and CenturyLink may be even worse.

Now, both companies are facing a class action lawsuit for some pretty bad behavior.  The AT&T-owned DirecTV and CenturyLink have been accused of leaving private customer data online available for anybody to find via a simple search.  That is, for potentially millions of customers.

DirecTV and CenturyLink have nearly 45 million customers combined.  At this stage, we’re unclear how many of those customers were affected by the privacy lapse, though potentially tens of millions were affected.

Last Monday, a class action lawsuit was filed in the US District Court in Seattle.  According to one plaintiff, James Jantos, a simple online search for his phone number allowed him to find his “name, address, telephone number and other information” unsecured online for anybody to view.

Even a bill was available online — with nothing blotted out or hidden.  “The customer discovered that his March 2017 bill from CenturyLink and DirecTV/DirecTV, LLC, was publicly available for anyone to view on the internet,” the lawsuit alleges. “The bill contained personally identifiable information, including his name, address, phone number, phone numbers that he had called and received calls from, and his DirecTV/DirecTV, LLC, billings.”

Naturally, this person got concerned and started investigating.  “[He was] unsure if the information was only available to him due to his previous online access to his account, [so] he investigated the scope of the disclosure,” the lawsuit continues.

Facebook Cancels Its Smart Speaker Amidst Growing Privacy Concerns

The complaint further noted that the plaintiff was “able to easily access personally identifying information of other subscribers of Defendants, including charges on other subscribers DirecTV/DirecTV, LLC, bills.”

Failing to protect private customer data is a clear violation of Section 338 of the Communications Act.  The plaintiff class is seeking $100 per violation, which could really add up.

Accordingly…

AT&T says ‘it wasn’t me’.

The defendants are now playing the blame game, with AT&T passing the buck to CenturyLink. According to an AT&T spokesperson, the allegations do not involve their bills — and the data exposed may have been extracted fully from CenturyLink.  You see, CenturyLink is selling a bundled DirecTV service.

“We’re reviewing the complaint, but the allegations in it do not involve our bills,” AT&T told DSLReports.

Here’s how the lawsuit puts it:

“CenturyLink also acted as the agent of DirecTV and/or DirecTV, LLC, in connection with the marketing, selling, billing, and distribution of bills (including making the bills available for public access) of DirecTV’s services,” the complaint alleges.  “CenturyLink is also an agent for DirecTV and/or DirecTV, LLC, for purposes of all tasks associated with billing certain bundled services provided by DirecTV and/or DirecTV, LLC, to its subscribers.”

Sounds like a defensible pass-the-buck.  But does it really get AT&T off the hook?  Even worse: why isn’t AT&T giving more of a crap about its own customers?

Here’s the complete class action filing.