AT&T breaks privacy guidelines

AT&T has broken its own privacy rules by distributing the contact details of its customers online.

Users of the AT&T Connect & Save, long-distance telephone service received an email offering them new discounts - along with the email addresses of the 1,799 other customers on the mailing list. Although the mail was sent out on April 7, AT&T only found out yesterday, after recipients got in touch.

"We have apologised and taken full responsibility for the mistake," an AT&T spokesman told Silicon.com. "It was human error, and we will be doing a full analysis to ensure it never happens again. Protecting customer records is at the top of our privacy policy."

An unnamed employee had used the "to" field instead of "bcc" (blind carbon copy) in the header of the mass-mailout. The market value of the address list is not enormous, but the mistake could have serious consequences for AT&T.

"Email addresses are only worth £300 or £400 per thousand names," one online sales director told Silicon.com. "But the list has an intrinsic value because normally you never get to access the names yourself." He added that the loss to AT&T's reputation was infinite, due to their breach of consumer trust.

Mr Yaman Akdeniz, director of Cyber-Rights and Cyber-Liberties, agreed. "In Europe, an apology would not be acceptable. There should be financial redress for consumers, especially with a major company like AT&T," he told Silicon.com.

Under European law, AT&T's mistake would be considered a breach of the data protection principles. But even here, it would not be a criminal offence. "We don't have the power to punish," stressed Phil Jones, an assistant data protection registrar in the UK. "If a company holds its hands in the air, admits a mistake and takes steps to rectify its procedures, then the investigation would end there."

"However," he added, "if a European individual can prove they've suffered as a result, then a court can order compensation."

AT&T's customer affairs spokesman said he could not even begin to speculate whether any of the customers affected were planning private litigation in the US.