When phone line is hacked, who’s on the hook?


Either Cynthia Elkins, a Woodland Hills employment lawyer, has been burning up the phone lines trying to fix the situation in the Middle East, or she’s a pretty obvious victim of fraud.

It’s hard to draw any other conclusions after more than $20,000 in calls to places like Israel, Egypt, Saudi Arabia, the Palestinian territories and elsewhere in the region appeared on her AT&T bill.

“I’m a local attorney,” Elkins, 51, told me. “I don’t have an international practice. I don’t know anyone in these countries. These are unequivocally not my calls.”


So it would seem, especially because no other calls to these far-flung places have been made in the 12 years she’s been an AT&T customer.

Yet Elkins ended up in a Kafkaesque corporate nightmare in which AT&T dragged out the situation for almost a year, telling her repeatedly to ignore the charges but then demanding that she pay up.

“I’m so disgusted,” she said. “They’re just taking advantage of a small-business owner. It makes me wonder how many other people they’ve done this to.”

AT&T says that if a customer’s phone system gets hacked, the company isn’t responsible for any fraudulent charges that accrue.

“If your toaster blows up in your home, you don’t expect the electricity company to be responsible for it,” said John Britton, an AT&T spokesman. “It’s your toaster.”

Elkins said she arrived at work a year ago to find a voice message from AT&T warning that her international calls weren’t covered by her current plan and that she may need to think about upgrading.

Elkins had no idea what that was about until her September 2010 bill arrived. The total for long-distance service for the month was $13,184.20.

That included 159 calls to Israel, 93 calls to Egypt, 16 calls to Morocco, 12 calls to Saudi Arabia and five calls to the Palestinian territories.

Then Elkins’ October bill arrived with $7,495.76 in additional charges for calls to all these countries, plus a few to Iraq and Libya.

She said it wasn’t easy getting AT&T to even acknowledge the problem. “I spent in excess of 25 hours trying to resolve this and pulling my hair out in the process,” Elkins said.

Finally, she said, she reached a service rep who admitted that “this happens all the time,” and that there have been some cases of hackers taking over people’s phone lines and running up hundreds of thousands of dollars in calls.

“I was told that it was obvious these weren’t my calls and I wouldn’t be held responsible,” Elkins said. “AT&T made it clear that I didn’t have to worry about it.”

The over $20,000 in past-due charges kept appearing on her monthly bills, but the phone company told Elkins to ignore it.

Then, in April, she received a message from AT&T that if she didn’t pay the $20,000 within three days, her phone service would be shut off. Elkins immediately called the rep she’d been dealing with and was told — yet again — not to worry about it.

But in June she got a call from someone else at the company saying he would now be handling things.

“He asked me how I’d like to make payment to resolve the matter,” Elkins recalled. “He told me it was obvious that the breach occurred through my system, so I was responsible.”

Elkins told me she consulted with an info-tech professional and her office building’s management firm, and there was no evidence that either her office or the building’s equipment had been compromised. No other tenant reported anything funny with their phone bills.

“So for all I know, it was AT&T’s system that was breached,” Elkins said.

Be that as it may, she said the phone company was no longer in an accommodating mood. It wanted some money, and it wanted it pronto.

The best corollary that comes to mind is credit cards. If a fraudster gets hold of your card number and runs up a bunch of charges, the card company won’t hold you accountable. As long as it’s clear that an act of fraud took place, you’re off the hook.

AT&T doesn’t operate that way. Even if it’s plain that you’re a fraud victim, the phone company will still try to stick you with the tab if it believes it was your system, and not the company’s, that was hacked. Verizon has a similar policy.

AT&T’s Britton said the company has resolved things with Elkins. But, he said, both parties signed a nondisclosure agreement prohibiting them from discussing details of the settlement.

Elkins said AT&T contacted her last month to let her know that the matter was now closed and that it looks forward to continuing to meet her telecom needs.

She said she’ll be contacting AT&T soon to let it know that she’s switching phone companies.

David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to