AT&T Inc. has agreed to pay $25 million to settle an investigation into data breaches at call centers in Mexico, Colombia and the Philippines that led to the disclosure of personal information of about 280,000 U.S. customers, federal regulators said Wednesday.
Employees at the call centers were paid for the information by people, including a mysterious man in Mexico known only as El Pelon, who appear to have been using it to unlock stolen cellphones, the Federal Communications Commission said.
The call centers, which were operated by third parties, handled calls from U.S. customers, the FCC said. The data breaches began in 2013 and continued into last year.
The settlement is the largest ever by the agency in a privacy case.
“As the nation's expert agency on communications networks, the commission cannot -- and will not -- stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom Wheeler.
Because of state laws, AT&T customers in California and Vermont previously had been notified that their personal information was improperly disclosed in the breach.
However, other customers were unaware of the problem. Under the settlement, AT&T must notify them and pay for credit monitoring services as well as improve the company's data security practices, the FCC said.
AT&T said it was reaching out to affected customers.
“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard," the company said in a statement. "Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate."
Neither the FCC nor AT&T would name the call centers.
Last May, the FCC began investigating the data breach at the Mexico call center, which handles calls from Spanish-speaking U.S. customers.
From November 2013 until April 2014, three call center employees were paid to provide the names and at least the last four digits of Social Security numbers for more than 68,000 U.S. customers, the FCC said.
The information could be used to submit online requests to AT&T to unlock cellphones. Each customer is allowed to request unlock codes for five phones, and the FCC said the improperly obtained information was used for 290,083 such requests.
At least two of the employees said they sold the information to El Pelon. The FCC said its officials do not know the man's identity.
During the investigation, the FCC learned that there were similar data breaches at call centers in Colombia and the Philippines involving the personal information of about 211,000 U.S. customers, the agency said.
In December, AT&T changed its phone unlocking policy to no longer require information from customer records, the FCC said.
Follow @JimPuzzanghera on Twitter