DirecTV (AT&T) and CenturyLink are facing a new class action lawsuit (pdf) alleging that the companies left private customer data online available for anybody to find via a simple search. The lawsuit, first reported by Geekwire, was filed Monday in US District Court in Seattle. The plaintiff claims that a simple online search for his phone number allowed him to find his "name, address, telephone number and other information" unsecured online for anybody to view.
"Plaintiff Jantos, through a simple internet search using a common search engine, discovered that his March 2017 bill from CenturyLink and DirecTV/DirecTV, LLC, was publicly available for anyone to view on the internet," the lawsuit alleges. "The bill contained personally identifiable information, including his name, address, phone number, phone numbers that he had called and received calls from, and his DirecTV/DirecTV, LLC, billings."
"Concerned, and unsure if the information was only available to him due to his previous online access to his account, he investigated the scope of the disclosure," the lawsuit continues, noting that the plaintiff was "able to easily access personally identifying information of other subscribers of Defendants, including charges on other subscribers DirecTV/DirecTV, LLC, bills."
"Like the information he discovered online about himself, he was able to view the names, addresses, phone number, subscriptions, and bills from other subscribers," states the suit. "In order to confirm that the information was available to others, he asked another individual to attempt to access information from his computer as well. Like Jantos, this individual was able to access personally identifiable information of DirecTV/DirecTV, LLC, subscribers."
The lawsuit is seeking punitive damages of $100 a day for each violation. It claims that CenturyLink and DirecTV are in violation of Section 338 of the Communications Act, which prohibits pay TV providers from exposing customer information without written consent, and requires they take steps to protect customer information from being accessed by others. Quite often, telecom and pay TV operators grow so quickly via M&A, things like data privacy and customer service can, more often than not, fall through the cracks.
"We’re reviewing the complaint, but the allegations in it do not involve our bills," AT&T said in a statement it provided DSLReports. The lawsuit does seem to indicate that this data may have been gleaned wholly from CenturyLink, who sells bundled DirecTV service:
quote:
CenturyLink also acted as the agent of DirecTV and/or DirecTV, LLC, in connection with the marketing, selling, billing, and distribution of bills (including making the bills available for public access) of DirecTV’s services. CenturyLink is also an agent for DirecTV and/or DirecTV, LLC, for purposes of all tasks associated with billing certain bundled services provided by DirecTV and/or DirecTV, LLC, to its subscribers.
CenturyLink did not immediately respond for a request for comment.